Repository | stacksimplify / terraform-on-aws-eks |
Description | Terraform on AWS EKS Kubernetes IaC SRE- 50 Real-World Demos |
Stars | 396 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:49:15,687 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:4.17.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:15,687 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:4.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:15,688 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:15,688 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:15,689 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:4.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:15,689 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.11.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:15,690 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:3.3.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 9137, Failed checks: 2937, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c5-kubernetes-loadbalancer-service-clb.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-lb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | }
15 | type = "LoadBalancer"
16 | }
17 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.np_service
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c6-kubernetes-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "np_service" {
3 | metadata {
4 | name = "myapp1-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | node_port = 31280
15 | }
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service_nlb
File: /11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c7-kubernetes-loadbalancer-service-nlb.tf:3-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | resource "kubernetes_service_v1" "lb_service_nlb" {
4 | metadata {
5 | name = "myapp1-lb-service-nlb"
6 | annotations = {
7 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "LoadBalancer"
20 | }
21 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c5-kubernetes-loadbalancer-service-clb.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-lb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | }
15 | type = "LoadBalancer"
16 | }
17 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.np_service
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c6-kubernetes-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "np_service" {
3 | metadata {
4 | name = "myapp1-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | node_port = 31280
15 | }
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service_nlb
File: /12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c7-kubernetes-loadbalancer-service-nlb.tf:3-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | resource "kubernetes_service_v1" "lb_service_nlb" {
4 | metadata {
5 | name = "myapp1-lb-service-nlb"
6 | annotations = {
7 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "LoadBalancer"
20 | }
21 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_account_v1.irsa_demo_sa
File: /13-EKS-IRSA/02-eks-irsa-demo-terraform-manifests/c4-03-irsa-k8s-service-account.tf:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_account_v1" "irsa_demo_sa" {
3 | depends_on = [ aws_iam_role_policy_attachment.irsa_iam_role_policy_attach ]
4 | metadata {
5 | name = "irsa-demo-sa"
6 | annotations = {
7 | "eks.amazonaws.com/role-arn" = aws_iam_role.irsa_iam_role.arn
8 | }
9 | }
10 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_job_v1.irsa_demo
File: /13-EKS-IRSA/02-eks-irsa-demo-terraform-manifests/c4-04-irsa-k8s-job.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_job_v1" "irsa_demo" {
3 | metadata {
4 | name = "irsa-demo"
5 | }
6 | spec {
7 | template {
8 | metadata {
9 | labels = {
10 | app = "irsa-demo"
11 | }
12 | }
13 | spec {
14 | service_account_name = kubernetes_service_account_v1.irsa_demo_sa.metadata.0.name
15 | container {
16 | name = "irsa-demo"
17 | image = "amazon/aws-cli:latest"
18 | args = ["s3", "ls"]
19 | #args = ["ec2", "describe-instances", "--region", "${var.aws_region}"] # Should fail as we don't have access to EC2 Describe Instances for IAM Role
20 | }
21 | restart_policy = "Never"
22 | }
23 | }
24 | }
25 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.config_map
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-03-UserMgmtWebApp-ConfigMap.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_config_map_v1" "config_map" {
3 | metadata {
4 | name = "usermanagement-dbcreation-script"
5 | }
6 | data = {
7 | "webappdb.sql" = "${file("${path.module}/webappdb.sql")}"
8 | }
9 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.mysql_clusterip_service
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-05-mysql-clusterip-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "mysql_clusterip_service" {
3 | metadata {
4 | name = "mysql"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.mysql_deployment.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 3306 # Service Port
12 | #target_port = 3306 # Container Port # Ignored when we use cluster_ip = "None"
13 | }
14 | type = "ClusterIP"
15 | cluster_ip = "None" # This means we are going to use Pod IP
16 | }
17 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-07-UserMgmtWebApp-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-08-UserMgmtWebApp-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 8080
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.nodeport_service
File: /16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-09-UserMgmtWebApp-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "nodeport_service" {
3 | metadata {
4 | name = "usermgmt-webapp-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | node_port = 31280
14 | }
15 |
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.config_map
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-03-UserMgmtWebApp-ConfigMap.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_config_map_v1" "config_map" {
3 | metadata {
4 | name = "usermanagement-dbcreation-script"
5 | }
6 | data = {
7 | "webappdb.sql" = "${file("${path.module}/webappdb.sql")}"
8 | }
9 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.mysql_clusterip_service
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-05-mysql-clusterip-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "mysql_clusterip_service" {
3 | metadata {
4 | name = "mysql"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.mysql_deployment.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 3306 # Service Port
12 | #target_port = 3306 # Container Port # Ignored when we use cluster_ip = "None"
13 | }
14 | type = "ClusterIP"
15 | cluster_ip = "None" # This means we are going to use Pod IP
16 | }
17 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-07-UserMgmtWebApp-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-08-UserMgmtWebApp-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 8080
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.nodeport_service
File: /17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-09-UserMgmtWebApp-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "nodeport_service" {
3 | metadata {
4 | name = "usermgmt-webapp-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | node_port = 31280
14 | }
15 |
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.config_map
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-03-UserMgmtWebApp-ConfigMap.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_config_map_v1" "config_map" {
3 | metadata {
4 | name = "usermanagement-dbcreation-script"
5 | }
6 | data = {
7 | "webappdb.sql" = "${file("${path.module}/webappdb.sql")}"
8 | }
9 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.mysql_clusterip_service
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-05-mysql-clusterip-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "mysql_clusterip_service" {
3 | metadata {
4 | name = "mysql"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.mysql_deployment.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 3306 # Service Port
12 | #target_port = 3306 # Container Port # Ignored when we use cluster_ip = "None"
13 | }
14 | type = "ClusterIP"
15 | cluster_ip = "None" # This means we are going to use Pod IP
16 | }
17 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-07-UserMgmtWebApp-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-lb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-08-UserMgmtWebApp-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 8080
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.nodeport_service
File: /18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-09-UserMgmtWebApp-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "nodeport_service" {
3 | metadata {
4 | name = "usermgmt-webapp-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | node_port = 31280
14 | }
15 |
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | metadata {
4 | name = "${local.name}-eksdeveloper-role"
5 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
6 | }
7 |
8 | rule {
9 | api_groups = ["", "extensions", "apps"]
10 | resources = ["*"]
11 | verbs = ["*"]
12 | }
13 | rule {
14 | api_groups = ["batch"]
15 | resources = ["jobs", "cronjobs"]
16 | verbs = ["*"]
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c5-kubernetes-app3-nodeport-service.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
7 | #"alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "NodePort"
20 | }
21 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c6-kubernetes-ingress-service.tf:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_ingress_v1" "ingress" {
3 | metadata {
4 | name = "ingress-basics"
5 | annotations = {
6 | # Load Balancer Name
7 | "alb.ingress.kubernetes.io/load-balancer-name" = "ingress-basics"
8 | # Ingress Core Settings
9 | "alb.ingress.kubernetes.io/scheme" = "internet-facing"
10 | # Health Check Settings
11 | "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP"
12 | "alb.ingress.kubernetes.io/healthcheck-port" = "traffic-port"
13 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
14 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
15 | "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = 15
16 | "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = 5
17 | "alb.ingress.kubernetes.io/success-codes" = 200
18 | "alb.ingress.kubernetes.io/healthy-threshold-count" = 2
19 | "alb.ingress.kubernetes.io/unhealthy-threshold-count" = 2
20 | }
21 | }
22 |
23 | spec {
24 | ingress_class_name = "my-aws-ingress-class" # Ingress Class
25 | default_backend {
26 | service {
27 | name = kubernetes_service_v1.myapp3_np_service.metadata[0].name
28 | port {
29 | number = 80
30 | }
31 | }
32 | }
33 | }
34 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c10-kubernetes-ingress-service.tf:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c10-kubernetes-ingress-service.tf:2-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /30-EKS-ExternalDNS-Install/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /31-EKS-ExternalDNS-with-Ingress-Service/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c10-kubernetes-ingress-service.tf:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /32-EKS-ExternalDNS-with-k8s-Service/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c5-kubernetes-app1-loadbalancer-service.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-loadbalancer-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | "external-dns.alpha.kubernetes.io/hostname" = "tfextdns-k8s-service-demo101.stacksimplify.com"
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "LoadBalancer"
20 | }
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c10-kubernetes-ingress-service.tf:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /34-EKS-Ingress-SSLDiscovery-Host/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c10-kubernetes-ingress-service.tf:2-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /35-EKS-Ingress-SSLDiscovery-TLS/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c10-kubernetes-ingress-service.tf:8-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /36-EKS-Ingress-Groups/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress_app1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c10-kubernetes-app1-ingress-service.tf:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress_app2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c11-kubernetes-app2-ingress-service.tf:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress_app3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c12-kubernetes-app3-ingress-service.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_ingress_v1" "ingress_app3" {
3 | metadata {
4 | name = "app3-ingress"
5 | annotations = {
6 | # Load Balancer Name
7 | "alb.ingress.kubernetes.io/load-balancer-name" = "ingress-groups-demo"
8 | # Ingress Core Settings
9 | "alb.ingress.kubernetes.io/scheme" = "internet-facing"
10 | # Health Check Settings
11 | "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP"
12 | "alb.ingress.kubernetes.io/healthcheck-port" = "traffic-port"
13 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
14 | "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = 15
15 | "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = 5
16 | "alb.ingress.kubernetes.io/success-codes" = 200
17 | "alb.ingress.kubernetes.io/healthy-threshold-count" = 2
18 | "alb.ingress.kubernetes.io/unhealthy-threshold-count" = 2
19 | ## SSL Settings
20 | # Option-1: Using Terraform jsonencode Function
21 | "alb.ingress.kubernetes.io/listen-ports" = jsonencode([{"HTTPS" = 443}, {"HTTP" = 80}])
22 | # Option-2: Using Terraform File Function
23 | #"alb.ingress.kubernetes.io/listen-ports" = file("${path.module}/listen-ports/listen-ports.json")
24 | "alb.ingress.kubernetes.io/certificate-arn" = "${aws_acm_certificate.acm_cert.arn}"
25 | #"alb.ingress.kubernetes.io/ssl-policy" = "ELBSecurityPolicy-TLS-1-1-2017-01" #Optional (Picks default if not used)
26 | # SSL Redirect Setting
27 | "alb.ingress.kubernetes.io/ssl-redirect" = 443
28 | # External DNS - For creating a Record Set in Route53
29 | "external-dns.alpha.kubernetes.io/hostname" = "tfingress-groups-demo102.stacksimplify.com"
30 | # Ingress Groups
31 | "alb.ingress.kubernetes.io/group.name" = "myapps.web"
32 | "alb.ingress.kubernetes.io/group.order" = 30
33 | }
34 | }
35 |
36 | spec {
37 | ingress_class_name = "my-aws-ingress-class" # Ingress Class
38 | # Default Backend
39 | default_backend {
40 | service {
41 | name = kubernetes_service_v1.myapp3_np_service.metadata[0].name
42 | port {
43 | number = 80
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /37-EKS-Ingress-TargetType-IP/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c10-kubernetes-ingress-service.tf:2-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /38-EKS-Ingress-InternalLB/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c10-kubernetes-ingress-service.tf:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /39-EKS-Ingress-Cross-Namespaces/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /40-EKS-NLB-Basics/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_nlb_service
File: /40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c5-kubernetes-app3-nlb-service.tf:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_nlb_service" {
3 | metadata {
4 | name = "basics-lbc-network-lb"
5 | annotations = {
6 | # Traffic Routing
7 | "service.beta.kubernetes.io/aws-load-balancer-name" = "basics-lbc-network-lb"
8 | "service.beta.kubernetes.io/aws-load-balancer-type" = "external"
9 | "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "instance" # specifies the target type to configure for NLB. You can choose between instance and ip
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol" = "http"
14 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-port" = "traffic-port"
15 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-path" = "/index.html"
16 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold" = 3
17 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold" = 3
18 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval" = 10 # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | "service.beta.kubernetes.io/load-balancer-source-ranges" = "0.0.0.0/0" # specifies the CIDRs that are allowed to access the NLB.
22 | "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing" # specifies whether the NLB will be internet-facing or internal
23 |
24 | # AWS Resource Tags
25 | "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" = "Environment=dev, Team=test"
26 | }
27 | }
28 | spec {
29 | selector = {
30 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
31 | }
32 | port {
33 | name = "http"
34 | port = 80
35 | target_port = 80
36 | }
37 | type = "LoadBalancer"
38 | }
39 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /41-EKS-NLB-TLS-externaldns/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_nlb_service
File: /41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c5-kubernetes-app3-nlb-service.tf:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /42-EKS-NLB-InternalLB/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_nlb_service
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c5-kubernetes-app3-nlb-service.tf:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_nlb_service" {
3 | metadata {
4 | name = "lbc-network-lb-internal"
5 | annotations = {
6 | # Traffic Routing
7 | "service.beta.kubernetes.io/aws-load-balancer-name" = "lbc-network-lb-internal"
8 | "service.beta.kubernetes.io/aws-load-balancer-type" = "external"
9 | "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "instance" # specifies the target type to configure for NLB. You can choose between instance and ip
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol" = "http"
14 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-port" = "traffic-port"
15 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-path" = "/index.html"
16 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold" = 3
17 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold" = 3
18 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval" = 10 # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internal" # specifies whether the NLB will be internet-facing or internal
22 | # The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal
23 | #"service.beta.kubernetes.io/load-balancer-source-ranges" = "0.0.0.0/0" # specifies the CIDRs that are allowed to access the NLB.
24 |
25 | # AWS Resource Tags
26 | "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" = "Environment=dev, Team=test"
27 | }
28 | }
29 | spec {
30 | selector = {
31 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
32 | }
33 | port {
34 | name = "http"
35 | port = 80
36 | target_port = 80
37 | }
38 | type = "LoadBalancer"
39 | }
40 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /43-EKS-Fargate-Profiles/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /44-EKS-Run-k8s-workloads-on-Fargate/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /45-Fargate-Only-EKS-Cluster/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-02-myapp1-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 80
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-03-myapp1-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "myapp1-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 80
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-02-myapp1-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 80
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-03-myapp1-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "myapp1-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 80
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /50-EKS-Cluster-Autoscaler/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /50-EKS-Cluster-Autoscaler/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /51-EKS-Cluster-Autoscaler-Testing/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /51-EKS-Cluster-Autoscaler-Testing/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_cip_service
File: /52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c5-kubernetes-app3-clusterip-service.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_cip_service" {
3 | metadata {
4 | name = "app3-nginx-cip-service"
5 | annotations = {
6 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
7 | #"alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "ClusterIP"
20 | }
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_cip_service
File: /53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-03-vpa-sample-app-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_cip_service" {
3 | metadata {
4 | name = "vpa-demo-service-nginx"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.vpa_demo_app.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | }
15 | type = "ClusterIP"
16 | }
17 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm[0]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm[0]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm[0]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm[0]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm[1]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm[1]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm[1]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm[1]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/08-AWS-EKS-Cluster-Basics/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c5-kubernetes-loadbalancer-service-clb.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-lb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | }
15 | type = "LoadBalancer"
16 | }
17 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.np_service
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c6-kubernetes-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "np_service" {
3 | metadata {
4 | name = "myapp1-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | node_port = 31280
15 | }
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service_nlb
File: /BACKUP-BEFORE-MAY2023/11-Kubernetes-Resources-via-Terraform/02-k8sresources-terraform-manifests/c7-kubernetes-loadbalancer-service-nlb.tf:3-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | resource "kubernetes_service_v1" "lb_service_nlb" {
4 | metadata {
5 | name = "myapp1-lb-service-nlb"
6 | annotations = {
7 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "LoadBalancer"
20 | }
21 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 2
12 |
13 | selector {
14 | match_labels = {
15 | app = "myapp1"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "myapp1"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "myapp1-container"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c5-kubernetes-loadbalancer-service-clb.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-lb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | }
15 | type = "LoadBalancer"
16 | }
17 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.np_service
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c6-kubernetes-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "np_service" {
3 | metadata {
4 | name = "myapp1-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | node_port = 31280
15 | }
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service_nlb
File: /BACKUP-BEFORE-MAY2023/12-Terraform-Remote-State-Storage/02-k8sresources-terraform-manifests/c7-kubernetes-loadbalancer-service-nlb.tf:3-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | resource "kubernetes_service_v1" "lb_service_nlb" {
4 | metadata {
5 | name = "myapp1-lb-service-nlb"
6 | annotations = {
7 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "LoadBalancer"
20 | }
21 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_account_v1.irsa_demo_sa
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/02-eks-irsa-demo-terraform-manifests/c4-03-irsa-k8s-service-account.tf:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_account_v1" "irsa_demo_sa" {
3 | depends_on = [ aws_iam_role_policy_attachment.irsa_iam_role_policy_attach ]
4 | metadata {
5 | name = "irsa-demo-sa"
6 | annotations = {
7 | "eks.amazonaws.com/role-arn" = aws_iam_role.irsa_iam_role.arn
8 | }
9 | }
10 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_job_v1.irsa_demo
File: /BACKUP-BEFORE-MAY2023/13-EKS-IRSA/02-eks-irsa-demo-terraform-manifests/c4-04-irsa-k8s-job.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_job_v1" "irsa_demo" {
3 | metadata {
4 | name = "irsa-demo"
5 | }
6 | spec {
7 | template {
8 | metadata {
9 | labels = {
10 | app = "irsa-demo"
11 | }
12 | }
13 | spec {
14 | service_account_name = kubernetes_service_account_v1.irsa_demo_sa.metadata.0.name
15 | container {
16 | name = "irsa-demo"
17 | image = "amazon/aws-cli:latest"
18 | args = ["s3", "ls"]
19 | #args = ["ec2", "describe-instances", "--region", "${var.aws_region}"] # Should fail as we don't have access to EC2 Describe Instances for IAM Role
20 | }
21 | restart_policy = "Never"
22 | }
23 | }
24 | }
25 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/14-EBS-CSI-Install-Kubernetes-Storage/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.config_map
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-03-UserMgmtWebApp-ConfigMap.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_config_map_v1" "config_map" {
3 | metadata {
4 | name = "usermanagement-dbcreation-script"
5 | }
6 | data = {
7 | "webappdb.sql" = "${file("${path.module}/webappdb.sql")}"
8 | }
9 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.mysql_clusterip_service
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-05-mysql-clusterip-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "mysql_clusterip_service" {
3 | metadata {
4 | name = "mysql"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.mysql_deployment.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 3306 # Service Port
12 | #target_port = 3306 # Container Port # Ignored when we use cluster_ip = "None"
13 | }
14 | type = "ClusterIP"
15 | cluster_ip = "None" # This means we are going to use Pod IP
16 | }
17 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-07-UserMgmtWebApp-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-08-UserMgmtWebApp-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 8080
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.nodeport_service
File: /BACKUP-BEFORE-MAY2023/16-EBS-Kubernetes-SampleApp-Terraform/03-terraform-manifests-UMS-WebApp/c4-09-UserMgmtWebApp-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "nodeport_service" {
3 | metadata {
4 | name = "usermgmt-webapp-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | node_port = 31280
14 | }
15 |
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.config_map
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-03-UserMgmtWebApp-ConfigMap.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_config_map_v1" "config_map" {
3 | metadata {
4 | name = "usermanagement-dbcreation-script"
5 | }
6 | data = {
7 | "webappdb.sql" = "${file("${path.module}/webappdb.sql")}"
8 | }
9 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.mysql_clusterip_service
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-05-mysql-clusterip-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "mysql_clusterip_service" {
3 | metadata {
4 | name = "mysql"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.mysql_deployment.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 3306 # Service Port
12 | #target_port = 3306 # Container Port # Ignored when we use cluster_ip = "None"
13 | }
14 | type = "ClusterIP"
15 | cluster_ip = "None" # This means we are going to use Pod IP
16 | }
17 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-07-UserMgmtWebApp-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-08-UserMgmtWebApp-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 8080
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.nodeport_service
File: /BACKUP-BEFORE-MAY2023/17-EBS-Resizing-on-EKS/03-terraform-manifests-UMS-WebApp/c4-09-UserMgmtWebApp-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "nodeport_service" {
3 | metadata {
4 | name = "usermgmt-webapp-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | node_port = 31280
14 | }
15 |
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.config_map
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-03-UserMgmtWebApp-ConfigMap.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_config_map_v1" "config_map" {
3 | metadata {
4 | name = "usermanagement-dbcreation-script"
5 | }
6 | data = {
7 | "webappdb.sql" = "${file("${path.module}/webappdb.sql")}"
8 | }
9 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.mysql_deployment
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-04-mysql-deployment.tf:2-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.mysql_clusterip_service
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-05-mysql-clusterip-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "mysql_clusterip_service" {
3 | metadata {
4 | name = "mysql"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.mysql_deployment.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 3306 # Service Port
12 | #target_port = 3306 # Container Port # Ignored when we use cluster_ip = "None"
13 | }
14 | type = "ClusterIP"
15 | cluster_ip = "None" # This means we are going to use Pod IP
16 | }
17 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.usermgmt_webapp
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-06-UserMgmtWebApp-deployment.tf:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-07-UserMgmtWebApp-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-lb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-08-UserMgmtWebApp-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "usermgmt-webapp-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 8080
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.nodeport_service
File: /BACKUP-BEFORE-MAY2023/18-EBS-CSI-Install-using-EKS-AddOn/03-terraform-manifests-UMS-WebApp/c4-09-UserMgmtWebApp-nodeport-service.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "nodeport_service" {
3 | metadata {
4 | name = "usermgmt-webapp-nodeport-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.usermgmt_webapp.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 8080
13 | node_port = 31280
14 | }
15 |
16 | type = "NodePort"
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/19-EKS-Admins-AWS-Admin-User/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/20-EKS-Admins-AWS-Basic-User/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/21-EKS-Admins-as-AWS-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-30
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | },
28 | ]
29 | })
30 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/22-EKS-Admins-with-AWS-IAM-Roles/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | ]
39 |
40 | tags = {
41 | Name = "Public-Node-Group"
42 | }
43 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/23-EKS-Admins-with-AWS-IAM-Roles-TF/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/24-EKS-ReadOnly-IAM-Users/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | metadata {
4 | name = "${local.name}-eksdeveloper-role"
5 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
6 | }
7 |
8 | rule {
9 | api_groups = ["", "extensions", "apps"]
10 | resources = ["*"]
11 | verbs = ["*"]
12 | }
13 | rule {
14 | api_groups = ["batch"]
15 | resources = ["jobs", "cronjobs"]
16 | verbs = ["*"]
17 | }
18 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/04-k8sresources-terraform-manifests/c4-kubernetes-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "myapp1-deployment"
5 | labels = {
6 | app = "myapp1"
7 | }
8 | namespace = "dev"
9 | }
10 |
11 | spec {
12 | replicas = 2
13 |
14 | selector {
15 | match_labels = {
16 | app = "myapp1"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "myapp1"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:2.0.0"
30 | name = "myapp1-container"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/26-EKS-with-LoadBalancer-Controller/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c5-kubernetes-app3-nodeport-service.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
7 | #"alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "NodePort"
20 | }
21 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/04-ingress-basics-terraform-manifests/c6-kubernetes-ingress-service.tf:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_ingress_v1" "ingress" {
3 | metadata {
4 | name = "ingress-basics"
5 | annotations = {
6 | # Load Balancer Name
7 | "alb.ingress.kubernetes.io/load-balancer-name" = "ingress-basics"
8 | # Ingress Core Settings
9 | "alb.ingress.kubernetes.io/scheme" = "internet-facing"
10 | # Health Check Settings
11 | "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP"
12 | "alb.ingress.kubernetes.io/healthcheck-port" = "traffic-port"
13 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
14 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
15 | "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = 15
16 | "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = 5
17 | "alb.ingress.kubernetes.io/success-codes" = 200
18 | "alb.ingress.kubernetes.io/healthy-threshold-count" = 2
19 | "alb.ingress.kubernetes.io/unhealthy-threshold-count" = 2
20 | }
21 | }
22 |
23 | spec {
24 | ingress_class_name = "my-aws-ingress-class" # Ingress Class
25 | default_backend {
26 | service {
27 | name = kubernetes_service_v1.myapp3_np_service.metadata[0].name
28 | port {
29 | number = 80
30 | }
31 | }
32 | }
33 | }
34 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c10-kubernetes-ingress-service.tf:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/04-ingress-cpr-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c10-kubernetes-ingress-service.tf:2-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/04-ingress-ssl-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/30-EKS-ExternalDNS-Install/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c10-kubernetes-ingress-service.tf:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/05-ingress-externaldns-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/05-k8sService-externaldns-terraform-manifests/c5-kubernetes-app1-loadbalancer-service.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-loadbalancer-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | "external-dns.alpha.kubernetes.io/hostname" = "tfextdns-k8s-service-demo101.stacksimplify.com"
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "LoadBalancer"
20 | }
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c10-kubernetes-ingress-service.tf:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/05-ingress-nvhr-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c10-kubernetes-ingress-service.tf:2-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/05-ingress-SSLDiscoveryHost-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c10-kubernetes-ingress-service.tf:8-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/05-ingress-SSLDiscoveryTLS-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress_app1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c10-kubernetes-app1-ingress-service.tf:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress_app2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c11-kubernetes-app2-ingress-service.tf:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress_app3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c12-kubernetes-app3-ingress-service.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_ingress_v1" "ingress_app3" {
3 | metadata {
4 | name = "app3-ingress"
5 | annotations = {
6 | # Load Balancer Name
7 | "alb.ingress.kubernetes.io/load-balancer-name" = "ingress-groups-demo"
8 | # Ingress Core Settings
9 | "alb.ingress.kubernetes.io/scheme" = "internet-facing"
10 | # Health Check Settings
11 | "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP"
12 | "alb.ingress.kubernetes.io/healthcheck-port" = "traffic-port"
13 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
14 | "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = 15
15 | "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = 5
16 | "alb.ingress.kubernetes.io/success-codes" = 200
17 | "alb.ingress.kubernetes.io/healthy-threshold-count" = 2
18 | "alb.ingress.kubernetes.io/unhealthy-threshold-count" = 2
19 | ## SSL Settings
20 | # Option-1: Using Terraform jsonencode Function
21 | "alb.ingress.kubernetes.io/listen-ports" = jsonencode([{"HTTPS" = 443}, {"HTTP" = 80}])
22 | # Option-2: Using Terraform File Function
23 | #"alb.ingress.kubernetes.io/listen-ports" = file("${path.module}/listen-ports/listen-ports.json")
24 | "alb.ingress.kubernetes.io/certificate-arn" = "${aws_acm_certificate.acm_cert.arn}"
25 | #"alb.ingress.kubernetes.io/ssl-policy" = "ELBSecurityPolicy-TLS-1-1-2017-01" #Optional (Picks default if not used)
26 | # SSL Redirect Setting
27 | "alb.ingress.kubernetes.io/ssl-redirect" = 443
28 | # External DNS - For creating a Record Set in Route53
29 | "external-dns.alpha.kubernetes.io/hostname" = "tfingress-groups-demo102.stacksimplify.com"
30 | # Ingress Groups
31 | "alb.ingress.kubernetes.io/group.name" = "myapps.web"
32 | "alb.ingress.kubernetes.io/group.order" = 30
33 | }
34 | }
35 |
36 | spec {
37 | ingress_class_name = "my-aws-ingress-class" # Ingress Class
38 | # Default Backend
39 | default_backend {
40 | service {
41 | name = kubernetes_service_v1.myapp3_np_service.metadata[0].name
42 | port {
43 | number = 80
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/05-ingress-groups-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c10-kubernetes-ingress-service.tf:2-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/05-ingress-TargetType-IP-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.ingress
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c10-kubernetes-ingress-service.tf:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c11-kubernetes-curl-pod-for-testing-InternalLB.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 | spec {
7 | container {
8 | image = "curlimages/curl"
9 | name = "curl"
10 | command = [ "sleep", "600" ]
11 | }
12 | }
13 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app1-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app1-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp1:1.0.0"
29 | name = "app1-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app2-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app2-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kube-nginxapp2:1.0.0"
29 | name = "app2-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp1_np_service
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c7-kubernetes-app1-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp1_np_service" {
3 | metadata {
4 | name = "app1-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app1/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp2_np_service
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c8-kubernetes-app2-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp2_np_service" {
3 | metadata {
4 | name = "app2-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/app2/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp2.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_np_service
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/06-ingress-InternalLB-terraform-manifests/c9-kubernetes-app3-nodeport-service.tf:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_np_service" {
3 | metadata {
4 | name = "app3-nginx-nodeport-service"
5 | annotations = {
6 | "alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
12 | }
13 | port {
14 | name = "http"
15 | port = 80
16 | target_port = 80
17 | }
18 | type = "NodePort"
19 | }
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | labels = {
6 | app = "app1-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app1.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | labels = {
6 | app = "app2-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app2.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/05-ingress-cross-ns-terraform-manifests/c5-kubernetes-app3-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | namespace = kubernetes_namespace_v1.ns_app3.metadata[0].name
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_nlb_service
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/05-nlb-basics-terraform-manifests/c5-kubernetes-app3-nlb-service.tf:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_nlb_service" {
3 | metadata {
4 | name = "basics-lbc-network-lb"
5 | annotations = {
6 | # Traffic Routing
7 | "service.beta.kubernetes.io/aws-load-balancer-name" = "basics-lbc-network-lb"
8 | "service.beta.kubernetes.io/aws-load-balancer-type" = "external"
9 | "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "instance" # specifies the target type to configure for NLB. You can choose between instance and ip
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol" = "http"
14 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-port" = "traffic-port"
15 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-path" = "/index.html"
16 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold" = 3
17 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold" = 3
18 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval" = 10 # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | "service.beta.kubernetes.io/load-balancer-source-ranges" = "0.0.0.0/0" # specifies the CIDRs that are allowed to access the NLB.
22 | "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing" # specifies whether the NLB will be internet-facing or internal
23 |
24 | # AWS Resource Tags
25 | "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" = "Environment=dev, Team=test"
26 | }
27 | }
28 | spec {
29 | selector = {
30 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
31 | }
32 | port {
33 | name = "http"
34 | port = 80
35 | target_port = 80
36 | }
37 | type = "LoadBalancer"
38 | }
39 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_nlb_service
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/05-nlb-tls-extdns-terraform-manifests/c5-kubernetes-app3-nlb-service.tf:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | }
34 | }
35 | }
36 | }
37 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_nlb_service
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c5-kubernetes-app3-nlb-service.tf:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_nlb_service" {
3 | metadata {
4 | name = "lbc-network-lb-internal"
5 | annotations = {
6 | # Traffic Routing
7 | "service.beta.kubernetes.io/aws-load-balancer-name" = "lbc-network-lb-internal"
8 | "service.beta.kubernetes.io/aws-load-balancer-type" = "external"
9 | "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "instance" # specifies the target type to configure for NLB. You can choose between instance and ip
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol" = "http"
14 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-port" = "traffic-port"
15 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-path" = "/index.html"
16 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold" = 3
17 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold" = 3
18 | "service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval" = 10 # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internal" # specifies whether the NLB will be internet-facing or internal
22 | # The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal
23 | #"service.beta.kubernetes.io/load-balancer-source-ranges" = "0.0.0.0/0" # specifies the CIDRs that are allowed to access the NLB.
24 |
25 | # AWS Resource Tags
26 | "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" = "Environment=dev, Team=test"
27 | }
28 | }
29 | spec {
30 | selector = {
31 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
32 | }
33 | port {
34 | name = "http"
35 | port = 80
36 | target_port = 80
37 | }
38 | type = "LoadBalancer"
39 | }
40 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.curl_pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/06-nlb-internal-terraform-manifests/c6-kubernetes-curl-pod-for-testing-InternalLB.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "curl_pod" {
3 | metadata {
4 | name = "curl-pod"
5 | }
6 |
7 | spec {
8 | container {
9 | image = "curlimages/curl"
10 | name = "curl"
11 | command = [ "sleep", "600" ]
12 | }
13 | }
14 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/43-EKS-Fargate-Profiles/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.medium"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 1
22 | min_size = 1
23 | max_size = 2
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/06-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/01-ekscluster-terraform-manifests/c4-04-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.externaldns_iam_policy
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/03-externaldns-install-terraform-manifests/c4-01-externaldns-iam-policy-and-role.tf:2-30
2 | resource "aws_iam_policy" "externaldns_iam_policy" {
3 | name = "${local.name}-AllowExternalDNSUpdates"
4 | path = "/"
5 | description = "External DNS IAM Policy"
6 | policy = jsonencode({
7 | "Version": "2012-10-17",
8 | "Statement": [
9 | {
10 | "Effect": "Allow",
11 | "Action": [
12 | "route53:ChangeResourceRecordSets"
13 | ],
14 | "Resource": [
15 | "arn:aws:route53:::hostedzone/*"
16 | ]
17 | },
18 | {
19 | "Effect": "Allow",
20 | "Action": [
21 | "route53:ListHostedZones",
22 | "route53:ListResourceRecordSets"
23 | ],
24 | "Resource": [
25 | "*"
26 | ]
27 | }
28 | ]
29 | })
30 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c4-kubernetes-app1-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | metadata {
4 | name = "app1-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app1-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app1-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app1-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp1:1.0.0"
30 | name = "app1-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp2
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c5-kubernetes-app2-deployment.tf:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp2" {
3 | metadata {
4 | name = "app2-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app2-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app2-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app2-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kube-nginxapp2:1.0.0"
30 | name = "app2-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | }
35 | }
36 | }
37 | }
38 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/45-Fargate-Only-EKS-Cluster/04-run-on-fargate-terraform-manifests/c6-kubernetes-app3-deployment.tf:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | namespace = "fp-ns-app1"
6 | labels = {
7 | app = "app3-nginx"
8 | }
9 | }
10 |
11 | spec {
12 | replicas = 1
13 |
14 | selector {
15 | match_labels = {
16 | app = "app3-nginx"
17 | }
18 | }
19 |
20 | template {
21 | metadata {
22 | labels = {
23 | app = "app3-nginx"
24 | }
25 | }
26 |
27 | spec {
28 | container {
29 | image = "stacksimplify/kubenginx:1.0.0"
30 | name = "app3-nginx"
31 | port {
32 | container_port = 80
33 | }
34 | resources {
35 | requests = {
36 | "cpu" = "1000m"
37 | "memory" = "2048Mi"
38 | }
39 | limits = {
40 | "cpu" = "2000m"
41 | "memory" = "4096Mi"
42 | }
43 | }
44 | }
45 | }
46 | }
47 | }
48 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/46-EKS-EFS-CSI-Install/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | #instance_types = ["t3.medium"]
14 | instance_types = ["t3.large"]
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-02-myapp1-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 80
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /BACKUP-BEFORE-MAY2023/47-EKS-EFS-Static-Provisioning/03-efs-static-prov-terraform-manifests/c6-03-myapp1-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "myapp1-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 80
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_public
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c5-07-eks-node-group-public.tf:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_public" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-public"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.public_subnets
8 | #version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | #instance_types = ["t3.medium"]
14 | instance_types = ["t3.large"]
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 |
41 | tags = {
42 | Name = "Public-Node-Group"
43 | }
44 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | }
7 | spec {
8 | container {
9 | name = "efs-write-app"
10 | image = "busybox"
11 | command = ["/bin/sh"]
12 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
13 | volume_mount {
14 | name = "persistent-storage"
15 | mount_path = "/data"
16 | }
17 | }
18 | volume {
19 | name = "persistent-storage"
20 | persistent_volume_claim {
21 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
22 | }
23 | }
24 | }
25 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | }
7 | spec {
8 | replicas = 2
9 | selector {
10 | match_labels = {
11 | app = "myapp1"
12 | }
13 | }
14 | template {
15 | metadata {
16 | name = "myapp1-pod"
17 | labels = {
18 | app = "myapp1"
19 | }
20 | }
21 | spec {
22 | container {
23 | name = "myapp1-container"
24 | image = "stacksimplify/kubenginx:1.0.0"
25 | port {
26 | container_port = 80
27 | }
28 | volume_mount {
29 | name = "persistent-storage"
30 | mount_path = "/usr/share/nginx/html/efs"
31 | }
32 | }
33 | volume {
34 | name = "persistent-storage"
35 | persistent_volume_claim {
36 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.lb_service
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-02-myapp1-loadbalancer-service.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "lb_service" {
3 | metadata {
4 | name = "myapp1-clb-service"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
9 | }
10 | port {
11 | port = 80
12 | target_port = 80
13 | }
14 | type = "LoadBalancer"
15 | }
16 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.network_lb_service
File: /BACKUP-BEFORE-MAY2023/48-EKS-EFS-Dynamic-Provisioning/03-efs-dynamic-prov-terraform-manifests/c6-03-myapp1-network-loadbalancer-service.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "network_lb_service" {
3 | metadata {
4 | name = "myapp1-network-lb-service"
5 | annotations = {
6 | "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" # To create Network Load Balancer
7 | }
8 | }
9 | spec {
10 | selector = {
11 | app = kubernetes_deployment_v1.myapp1.spec[0].selector[0].match_labels.app
12 | }
13 | port {
14 | port = 80
15 | target_port = 80
16 | }
17 | type = "LoadBalancer"
18 | }
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Static Provisioning Test $(date -u) >> /data/efs-static.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/04-efs-static-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.efs_allow_access
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "efs_allow_access" {
3 | name = "efs-allow-nfs-from-eks-vpc"
4 | description = "Allow Inbound NFS Traffic from VPC CIDR"
5 | vpc_id = data.terraform_remote_state.eks.outputs.vpc_id
6 |
7 | ingress {
8 | description = "Allow Inbound NFS Traffic from EKS VPC CIDR to EFS File System"
9 | from_port = 2049
10 | to_port = 2049
11 | protocol = "tcp"
12 | cidr_blocks = [data.terraform_remote_state.eks.outputs.vpc_cidr_block]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | tags = {
23 | Name = "allow_nfs_from_eks_vpc"
24 | }
25 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.efs_file_system
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c4-01-efs-resource.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
29 | resource "aws_efs_file_system" "efs_file_system" {
30 | creation_token = "efs-demo"
31 | tags = {
32 | Name = "efs-demo"
33 | }
34 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_pod_v1.efs_write_app_pod
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c5-write-to-efs-pod.tf:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_pod_v1" "efs_write_app_pod" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "efs-write-app"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | container {
10 | name = "efs-write-app"
11 | image = "busybox"
12 | command = ["/bin/sh"]
13 | args = ["-c", "while true; do echo EFS Kubernetes Dynamic Provisioning Test $(date -u) >> /data/efs-dynamic.txt; sleep 5; done"]
14 | volume_mount {
15 | name = "persistent-storage"
16 | mount_path = "/data"
17 | }
18 | }
19 | volume {
20 | name = "persistent-storage"
21 | persistent_volume_claim {
22 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
23 | }
24 | }
25 | }
26 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp1
File: /BACKUP-BEFORE-MAY2023/49-EKS-EFS-Fargate/05-efs-dynamic-prov-terraform-manifests/c6-01-myapp1-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp1" {
3 | depends_on = [ aws_efs_mount_target.efs_mount_target]
4 | metadata {
5 | name = "myapp1"
6 | namespace = "fp-ns-app1"
7 | }
8 | spec {
9 | replicas = 2
10 | selector {
11 | match_labels = {
12 | app = "myapp1"
13 | }
14 | }
15 | template {
16 | metadata {
17 | name = "myapp1-pod"
18 | labels = {
19 | app = "myapp1"
20 | }
21 | }
22 | spec {
23 | container {
24 | name = "myapp1-container"
25 | image = "stacksimplify/kubenginx:1.0.0"
26 | port {
27 | container_port = 80
28 | }
29 | volume_mount {
30 | name = "persistent-storage"
31 | mount_path = "/usr/share/nginx/html/efs"
32 | }
33 | }
34 | volume {
35 | name = "persistent-storage"
36 | persistent_volume_claim {
37 | claim_name = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /BACKUP-BEFORE-MAY2023/50-EKS-Cluster-Autoscaler/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cluster_autoscaler_iam_policy
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/02-cluster-autoscaler-install-terraform-manifests/c4-01-cluster-autoscaler-iam-policy-and-role.tf:2-29
2 | resource "aws_iam_policy" "cluster_autoscaler_iam_policy" {
3 | name = "${local.name}-AmazonEKSClusterAutoscalerPolicy"
4 | path = "/"
5 | description = "EKS Cluster Autoscaler Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Action": [
14 | "autoscaling:DescribeAutoScalingGroups",
15 | "autoscaling:DescribeAutoScalingInstances",
16 | "autoscaling:DescribeInstances",
17 | "autoscaling:DescribeLaunchConfigurations",
18 | "autoscaling:DescribeTags",
19 | "autoscaling:SetDesiredCapacity",
20 | "autoscaling:TerminateInstanceInAutoScalingGroup",
21 | "ec2:DescribeLaunchTemplateVersions",
22 | "ec2:DescribeInstanceTypes"
23 | ],
24 | "Resource": "*",
25 | "Effect": "Allow"
26 | }
27 | ]
28 | })
29 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_deployment_v1.myapp3
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c4-kubernetes-app3-deployment.tf:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | resource "kubernetes_deployment_v1" "myapp3" {
3 | metadata {
4 | name = "app3-nginx-deployment"
5 | labels = {
6 | app = "app3-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 1
12 |
13 | selector {
14 | match_labels = {
15 | app = "app3-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "app3-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "k8s.gcr.io/hpa-example"
29 | name = "app3-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | limits = {
35 | cpu = "500m"
36 | }
37 | requests = {
38 | cpu = "200m"
39 | }
40 | }
41 | }
42 | }
43 | }
44 | }
45 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_cip_service
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/04-hpa-demo-terraform-manifests/c5-kubernetes-app3-clusterip-service.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_cip_service" {
3 | metadata {
4 | name = "app3-nginx-cip-service"
5 | annotations = {
6 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
7 | #"alb.ingress.kubernetes.io/healthcheck-path" = "/index.html"
8 | }
9 | }
10 | spec {
11 | selector = {
12 | app = kubernetes_deployment_v1.myapp3.spec.0.selector.0.match_labels.app
13 | }
14 | port {
15 | name = "http"
16 | port = 80
17 | target_port = 80
18 | }
19 | type = "ClusterIP"
20 | }
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: kubernetes_deployment_v1.vpa_demo_app
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-02-vpa-sample-app-deployment.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | resource "kubernetes_deployment_v1" "vpa_demo_app" {
3 | metadata {
4 | name = "vpa-demo-deployment"
5 | labels = {
6 | app = "vpa-nginx"
7 | }
8 | }
9 |
10 | spec {
11 | replicas = 4
12 |
13 | selector {
14 | match_labels = {
15 | app = "vpa-nginx"
16 | }
17 | }
18 |
19 | template {
20 | metadata {
21 | labels = {
22 | app = "vpa-nginx"
23 | }
24 | }
25 |
26 | spec {
27 | container {
28 | image = "stacksimplify/kubenginx:1.0.0"
29 | name = "vpa-nginx"
30 | port {
31 | container_port = 80
32 | }
33 | resources {
34 | requests = {
35 | cpu = "5m"
36 | memory = "5Mi"
37 | }
38 | }
39 | }
40 | }
41 | }
42 | }
43 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.myapp3_cip_service
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/05-vpa-demo-terraform-manifests/c4-03-vpa-sample-app-service.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | resource "kubernetes_service_v1" "myapp3_cip_service" {
3 | metadata {
4 | name = "vpa-demo-service-nginx"
5 | }
6 | spec {
7 | selector = {
8 | app = kubernetes_deployment_v1.vpa_demo_app.spec.0.selector.0.match_labels.app
9 | }
10 | port {
11 | name = "http"
12 | port = 80
13 | target_port = 80
14 | }
15 | type = "ClusterIP"
16 | }
17 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksreadonly_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c10-02-iam-group-and-user-eksreadonly.tf:31-36
31 | resource "aws_iam_user" "eksreadonly_user" {
32 | name = "${local.name}-eksreadonly1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksdeveloper_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c11-02-iam-group-and-user-eksdeveloper.tf:31-36
31 | resource "aws_iam_user" "eksdeveloper_user" {
32 | name = "${local.name}-eksdeveloper1"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_role_v1.eksdeveloper_role
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c11-05-k8s-role-rolebinding.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | resource "kubernetes_role_v1" "eksdeveloper_role" {
3 | #depends_on = [kubernetes_namespace_v1.k8s_dev]
4 | metadata {
5 | name = "${local.name}-eksdeveloper-role"
6 | namespace = kubernetes_namespace_v1.k8s_dev.metadata[0].name
7 | }
8 |
9 | rule {
10 | api_groups = ["", "extensions", "apps"]
11 | resources = ["*"]
12 | verbs = ["*"]
13 | }
14 | rule {
15 | api_groups = ["batch"]
16 | resources = ["jobs", "cronjobs"]
17 | verbs = ["*"]
18 | }
19 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks_cluster
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-06-eks-cluster.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
2 | resource "aws_eks_cluster" "eks_cluster" {
3 | name = "${local.name}-${var.cluster_name}"
4 | role_arn = aws_iam_role.eks_master_role.arn
5 | version = var.cluster_version
6 |
7 | vpc_config {
8 | subnet_ids = module.vpc.public_subnets
9 | endpoint_private_access = var.cluster_endpoint_private_access
10 | endpoint_public_access = var.cluster_endpoint_public_access
11 | public_access_cidrs = var.cluster_endpoint_public_access_cidrs
12 | }
13 |
14 | kubernetes_network_config {
15 | service_ipv4_cidr = var.cluster_service_ipv4_cidr
16 | }
17 |
18 | # Enable EKS Cluster Control Plane Logging
19 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
20 |
21 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
22 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
23 | depends_on = [
24 | aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
25 | aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
26 | ]
27 | }
Check: CKV_AWS_100: "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0"
FAILED for resource: aws_eks_node_group.eks_ng_private
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c5-08-eks-node-group-private.tf:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-5.html
2 | resource "aws_eks_node_group" "eks_ng_private" {
3 | cluster_name = aws_eks_cluster.eks_cluster.name
4 |
5 | node_group_name = "${local.name}-eks-ng-private"
6 | node_role_arn = aws_iam_role.eks_nodegroup_role.arn
7 | subnet_ids = module.vpc.private_subnets
8 | version = var.cluster_version #(Optional: Defaults to EKS Cluster Kubernetes version)
9 |
10 | ami_type = "AL2_x86_64"
11 | capacity_type = "ON_DEMAND"
12 | disk_size = 20
13 | instance_types = ["t3.large"]
14 |
15 |
16 | remote_access {
17 | ec2_ssh_key = "eks-terraform-key"
18 | }
19 |
20 | scaling_config {
21 | desired_size = 2
22 | min_size = 2
23 | max_size = 3
24 | }
25 |
26 | # Desired max percentage of unavailable worker nodes during node group update.
27 | update_config {
28 | max_unavailable = 1
29 | #max_unavailable_percentage = 50 # ANY ONE TO USE
30 | }
31 |
32 | # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
33 | # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
34 | depends_on = [
35 | aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
36 | aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
37 | aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
38 | kubernetes_config_map_v1.aws_auth
39 | ]
40 | tags = {
41 | Name = "Private-Node-Group"
42 | # Cluster Autoscaler Tags
43 | "k8s.io/cluster-autoscaler/${local.eks_cluster_name}" = "owned"
44 | "k8s.io/cluster-autoscaler/enabled" = "TRUE"
45 | }
46 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:2-7
2 | resource "aws_iam_user" "admin_user" {
3 | name = "${local.name}-eksadmin1"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.admin_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-01-iam-admin-user.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy_attachment" "admin_user" {
11 | user = aws_iam_user.admin_user.name
12 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
13 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.basic_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:2-7
2 | resource "aws_iam_user" "basic_user" {
3 | name = "${local.name}-eksadmin2"
4 | path = "/"
5 | force_destroy = true
6 | tags = local.common_tags
7 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.basic_user_eks_policy
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c8-02-iam-basic-user.tf:10-31
10 | resource "aws_iam_user_policy" "basic_user_eks_policy" {
11 | name = "${local.name}-eks-dashboard-full-access-policy"
12 | user = aws_iam_user.basic_user.name
13 |
14 | # Terraform's "jsonencode" function converts a
15 | # Terraform expression result to valid JSON syntax.
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = [
21 | "iam:ListRoles",
22 | "eks:*",
23 | "ssm:GetParameter"
24 | ]
25 | Effect = "Allow"
26 | Resource = "*"
27 | #Resource = "${aws_eks_cluster.eks_cluster.arn}"
28 | },
29 | ]
30 | })
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.eksadmin_user
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/01-ekscluster-terraform-manifests/c9-02-iam-group-and-user-eksadmins.tf:31-36
31 | resource "aws_iam_user" "eksadmin_user" {
32 | name = "${local.name}-eksadmin3"
33 | path = "/"
34 | force_destroy = true
35 | tags = local.common_tags
36 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ec2demo
File: /BACKUP-BEFORE-MAY2023/02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm[0]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm[1]
File: /BACKUP-BEFORE-MAY2023/05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
kubernetes scan results:
Passed checks: 6950, Failed checks: 2050, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.basics-lbc-network-lb
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/02-LBC-NLB-LoadBalancer-Service.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: basics-lbc-network-lb
5 | annotations:
6 | # Traffic Routing
7 | service.beta.kubernetes.io/aws-load-balancer-name: basics-lbc-network-lb
8 | service.beta.kubernetes.io/aws-load-balancer-type: external
9 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance # specifies the target type to configure for NLB. You can choose between instance and ip
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
14 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
15 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
16 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
17 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
18 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0 # specifies the CIDRs that are allowed to access the NLB.
22 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" # specifies whether the NLB will be internet-facing or internal
23 |
24 | # AWS Resource Tags
25 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
26 | spec:
27 | type: LoadBalancer
28 | selector:
29 | app: app3-nginx
30 | ports:
31 | - port: 80
32 | targetPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-cip-service
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/02-service.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: app3-nginx-cip-service
5 | labels:
6 | app: app3-nginx-cip-service
7 | spec:
8 | ports:
9 | - port: 80
10 | selector:
11 | app: app3-nginx-deployment
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.app2-ingress
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/02-App2-Ingress.yml:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: app2-ingress
7 | annotations:
8 | # Ingress Core Settings
9 | #kubernetes.io/ingress.class: "alb"
10 | alb.ingress.kubernetes.io/scheme: internet-facing
11 | # Load Balancer Name
12 | alb.ingress.kubernetes.io/load-balancer-name: ingress-groups-demo
13 | # Health Check Settings
14 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
15 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
16 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
17 | #alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
18 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
19 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
20 | alb.ingress.kubernetes.io/success-codes: '200'
21 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
22 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
23 | ## SSL Settings
24 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
25 | #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/0d86500a-08b3-4f17-8fb4-f09532ba0522
26 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
27 | # SSL Redirect Setting
28 | alb.ingress.kubernetes.io/ssl-redirect: '443'
29 | # External DNS - For creating a Record Set in Route53
30 | external-dns.alpha.kubernetes.io/hostname: ingress-groups-demo601.stacksimplify.com
31 | # Ingress Groups
32 | alb.ingress.kubernetes.io/group.name: myapps.web
33 | alb.ingress.kubernetes.io/group.order: '20'
34 | spec:
35 | ingressClassName: my-aws-ingress-class # Ingress Class
36 | # SSL Certificate Discovery using TLS
37 | tls:
38 | - hosts:
39 | - "*.stacksimplify.com"
40 | rules:
41 | - http:
42 | paths:
43 | - path: /app2
44 | pathType: Prefix
45 | backend:
46 | service:
47 | name: app2-nginx-nodeport-service
48 | port:
49 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.app1-ingress
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/02-App1-Ingress.yml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: app1-ingress
7 | annotations:
8 | # Load Balancer Name
9 | alb.ingress.kubernetes.io/load-balancer-name: ingress-groups-demo
10 | # Ingress Core Settings
11 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
12 | alb.ingress.kubernetes.io/scheme: internet-facing
13 | # Health Check Settings
14 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
15 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
16 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
17 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
18 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
19 | alb.ingress.kubernetes.io/success-codes: '200'
20 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
21 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
22 | ## SSL Settings
23 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
24 | #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/0d86500a-08b3-4f17-8fb4-f09532ba0522
25 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
26 | # SSL Redirect Setting
27 | alb.ingress.kubernetes.io/ssl-redirect: '443'
28 | # External DNS - For creating a Record Set in Route53
29 | external-dns.alpha.kubernetes.io/hostname: ingress-groups-demo601.stacksimplify.com
30 | # Ingress Groups
31 | alb.ingress.kubernetes.io/group.name: myapps.web
32 | alb.ingress.kubernetes.io/group.order: '10'
33 | spec:
34 | ingressClassName: my-aws-ingress-class # Ingress Class
35 | # SSL Certificate Discovery using TLS
36 | tls:
37 | - hosts:
38 | - "*.stacksimplify.com"
39 | rules:
40 | - http:
41 | paths:
42 | - path: /app1
43 | pathType: Prefix
44 | backend:
45 | service:
46 | name: app1-nginx-nodeport-service
47 | port:
48 | number: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.app3-ingress
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/02-App3-Ingress-default-backend.yml:3-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: app3-ingress
7 | annotations:
8 | # Ingress Core Settings
9 | #kubernetes.io/ingress.class: "alb"
10 | alb.ingress.kubernetes.io/scheme: internet-facing
11 | # Load Balancer Name
12 | alb.ingress.kubernetes.io/load-balancer-name: ingress-groups-demo
13 | # Health Check Settings
14 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
15 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
16 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
17 | #alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
18 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
19 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
20 | alb.ingress.kubernetes.io/success-codes: '200'
21 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
22 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
23 | ## SSL Settings
24 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
25 | #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/0d86500a-08b3-4f17-8fb4-f09532ba0522
26 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
27 | # SSL Redirect Setting
28 | alb.ingress.kubernetes.io/ssl-redirect: '443'
29 | # External DNS - For creating a Record Set in Route53
30 | external-dns.alpha.kubernetes.io/hostname: ingress-groups-demo601.stacksimplify.com
31 | # Ingress Groups
32 | alb.ingress.kubernetes.io/group.name: myapps.web
33 | alb.ingress.kubernetes.io/group.order: '30'
34 | spec:
35 | ingressClassName: my-aws-ingress-class # Ingress Class
36 | # SSL Certificate Discovery using TLS
37 | tls:
38 | - hosts:
39 | - "*.stacksimplify.com"
40 | defaultBackend:
41 | service:
42 | name: app3-nginx-nodeport-service
43 | port:
44 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-loadbalancer-service
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/02-Nginx-App1-LoadBalancer-Service.yml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: app1-nginx-loadbalancer-service
5 | labels:
6 | app: app1-nginx
7 | annotations:
8 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
9 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
10 | external-dns.alpha.kubernetes.io/hostname: extdns-k8s-service-demo101.stacksimplify.com
11 | spec:
12 | type: LoadBalancer
13 | selector:
14 | app: app1-nginx
15 | ports:
16 | - port: 80
17 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.ca-demo-service-nginx
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:27-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: ca-demo-service-nginx
31 | labels:
32 | app: ca-nginx
33 | spec:
34 | type: LoadBalancer
35 | selector:
36 | app: ca-nginx
37 | ports:
38 | - port: 80
39 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-namedbasedvhost-demo
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/04-ALB-Ingress-HostHeader-Routing.yml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service-nlb
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/03-NLB-LoadBalancer-Service.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service-nlb
5 | annotations:
6 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
7 | spec:
8 | type: LoadBalancer # ClusterIp, # NodePort
9 | selector:
10 | app: myapp1
11 | ports:
12 | - name: http
13 | port: 80 # Service Port
14 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp1-deployment
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/02-CLB-LoadBalancer-Service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service
5 | spec:
6 | type: LoadBalancer # ClusterIp, # NodePort
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: Role.dev.dev-ns-role
File: /25-EKS-DeveloperAccess-IAM-Users/02-kube-manifests-rb-r/02-k8s-role-rolebinding-dev-namespace.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | name: dev-ns-role
6 | namespace: dev
7 | rules:
8 | - apiGroups: ["", "extensions", "apps"]
9 | resources: ["*"]
10 | verbs: ["*"]
11 | - apiGroups: ["batch"]
12 | resources:
13 | - jobs
14 | - cronjobs
15 | verbs: ["*"]
16 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.eks-console-dashboard-restricted-access-role
File: /25-EKS-DeveloperAccess-IAM-Users/other-files/eks-console-restricted-access.yaml:28-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
28 | apiVersion: rbac.authorization.k8s.io/v1
29 | kind: Role
30 | metadata:
31 | namespace: default
32 | name: eks-console-dashboard-restricted-access-role
33 | rules:
34 | - apiGroups:
35 | - ""
36 | resources:
37 | - pods
38 | verbs:
39 | - get
40 | - list
41 | - apiGroups:
42 | - apps
43 | resources:
44 | - deployments
45 | - daemonsets
46 | - statefulsets
47 | - replicasets
48 | verbs:
49 | - get
50 | - list
51 | - apiGroups:
52 | - batch
53 | resources:
54 | - jobs
55 | verbs:
56 | - get
57 | - list
58 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.eks-console-dashboard-restricted-access-role-binding
File: /25-EKS-DeveloperAccess-IAM-Users/other-files/eks-console-restricted-access.yaml:59-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
59 | apiVersion: rbac.authorization.k8s.io/v1
60 | kind: RoleBinding
61 | metadata:
62 | name: eks-console-dashboard-restricted-access-role-binding
63 | namespace: default
64 | subjects:
65 | - kind: Group
66 | name: eks-console-dashboard-restricted-access-group
67 | apiGroup: rbac.authorization.k8s.io
68 | roleRef:
69 | kind: Role
70 | name: eks-console-dashboard-restricted-access-role
71 | apiGroup: rbac.authorization.k8s.io
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-externaldns-demo
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/04-ALB-Ingress-SSL-Redirect-ExternalDNS.yml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-clusterip-service
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-clusterip-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: ClusterIP
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-clusterip-service
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-clusterip-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: ClusterIP
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-clusterip-service
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-clusterip-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: ClusterIP
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-target-type-ip-demo
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/04-ALB-Ingress-target-type-ip.yml:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.lbc-network-lb-internal
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/02-LBC-NLB-LoadBalancer-Service.yml:1-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: lbc-network-lb-internal
5 | annotations:
6 | # Traffic Routing
7 | service.beta.kubernetes.io/aws-load-balancer-name: lbc-network-lb-internal
8 | service.beta.kubernetes.io/aws-load-balancer-type: external
9 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
14 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
15 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
16 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
17 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
18 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
22 | # The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal
23 | #service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
24 |
25 | # AWS Resource Tags
26 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
27 | spec:
28 | type: LoadBalancer
29 | selector:
30 | app: app3-nginx
31 | ports:
32 | - port: 80
33 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.basics-lbc-network-lb
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/02-LBC-NLB-LoadBalancer-Service.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: basics-lbc-network-lb
5 | annotations:
6 | # Traffic Routing
7 | service.beta.kubernetes.io/aws-load-balancer-name: basics-lbc-network-lb
8 | service.beta.kubernetes.io/aws-load-balancer-type: external
9 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance # specifies the target type to configure for NLB. You can choose between instance and ip
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
14 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
15 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
16 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
17 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
18 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0 # specifies the CIDRs that are allowed to access the NLB.
22 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" # specifies whether the NLB will be internet-facing or internal
23 |
24 | # AWS Resource Tags
25 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
26 | spec:
27 | type: LoadBalancer
28 | selector:
29 | app: app3-nginx
30 | ports:
31 | - port: 80
32 | targetPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-cip-service
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/02-service.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: app3-nginx-cip-service
5 | labels:
6 | app: app3-nginx-cip-service
7 | spec:
8 | ports:
9 | - port: 80
10 | selector:
11 | app: app3-nginx-deployment
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.app2-ingress
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/02-App2-Ingress.yml:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: app2-ingress
7 | annotations:
8 | # Ingress Core Settings
9 | #kubernetes.io/ingress.class: "alb"
10 | alb.ingress.kubernetes.io/scheme: internet-facing
11 | # Load Balancer Name
12 | alb.ingress.kubernetes.io/load-balancer-name: ingress-groups-demo
13 | # Health Check Settings
14 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
15 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
16 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
17 | #alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
18 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
19 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
20 | alb.ingress.kubernetes.io/success-codes: '200'
21 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
22 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
23 | ## SSL Settings
24 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
25 | #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/0d86500a-08b3-4f17-8fb4-f09532ba0522
26 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
27 | # SSL Redirect Setting
28 | alb.ingress.kubernetes.io/ssl-redirect: '443'
29 | # External DNS - For creating a Record Set in Route53
30 | external-dns.alpha.kubernetes.io/hostname: ingress-groups-demo601.stacksimplify.com
31 | # Ingress Groups
32 | alb.ingress.kubernetes.io/group.name: myapps.web
33 | alb.ingress.kubernetes.io/group.order: '20'
34 | spec:
35 | ingressClassName: my-aws-ingress-class # Ingress Class
36 | # SSL Certificate Discovery using TLS
37 | tls:
38 | - hosts:
39 | - "*.stacksimplify.com"
40 | rules:
41 | - http:
42 | paths:
43 | - path: /app2
44 | pathType: Prefix
45 | backend:
46 | service:
47 | name: app2-nginx-nodeport-service
48 | port:
49 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.app1-ingress
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/02-App1-Ingress.yml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: app1-ingress
7 | annotations:
8 | # Load Balancer Name
9 | alb.ingress.kubernetes.io/load-balancer-name: ingress-groups-demo
10 | # Ingress Core Settings
11 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
12 | alb.ingress.kubernetes.io/scheme: internet-facing
13 | # Health Check Settings
14 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
15 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
16 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
17 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
18 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
19 | alb.ingress.kubernetes.io/success-codes: '200'
20 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
21 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
22 | ## SSL Settings
23 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
24 | #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/0d86500a-08b3-4f17-8fb4-f09532ba0522
25 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
26 | # SSL Redirect Setting
27 | alb.ingress.kubernetes.io/ssl-redirect: '443'
28 | # External DNS - For creating a Record Set in Route53
29 | external-dns.alpha.kubernetes.io/hostname: ingress-groups-demo601.stacksimplify.com
30 | # Ingress Groups
31 | alb.ingress.kubernetes.io/group.name: myapps.web
32 | alb.ingress.kubernetes.io/group.order: '10'
33 | spec:
34 | ingressClassName: my-aws-ingress-class # Ingress Class
35 | # SSL Certificate Discovery using TLS
36 | tls:
37 | - hosts:
38 | - "*.stacksimplify.com"
39 | rules:
40 | - http:
41 | paths:
42 | - path: /app1
43 | pathType: Prefix
44 | backend:
45 | service:
46 | name: app1-nginx-nodeport-service
47 | port:
48 | number: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.app3-ingress
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/02-App3-Ingress-default-backend.yml:3-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: app3-ingress
7 | annotations:
8 | # Ingress Core Settings
9 | #kubernetes.io/ingress.class: "alb"
10 | alb.ingress.kubernetes.io/scheme: internet-facing
11 | # Load Balancer Name
12 | alb.ingress.kubernetes.io/load-balancer-name: ingress-groups-demo
13 | # Health Check Settings
14 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
15 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
16 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
17 | #alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
18 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
19 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
20 | alb.ingress.kubernetes.io/success-codes: '200'
21 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
22 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
23 | ## SSL Settings
24 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
25 | #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/0d86500a-08b3-4f17-8fb4-f09532ba0522
26 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
27 | # SSL Redirect Setting
28 | alb.ingress.kubernetes.io/ssl-redirect: '443'
29 | # External DNS - For creating a Record Set in Route53
30 | external-dns.alpha.kubernetes.io/hostname: ingress-groups-demo601.stacksimplify.com
31 | # Ingress Groups
32 | alb.ingress.kubernetes.io/group.name: myapps.web
33 | alb.ingress.kubernetes.io/group.order: '30'
34 | spec:
35 | ingressClassName: my-aws-ingress-class # Ingress Class
36 | # SSL Certificate Discovery using TLS
37 | tls:
38 | - hosts:
39 | - "*.stacksimplify.com"
40 | defaultBackend:
41 | service:
42 | name: app3-nginx-nodeport-service
43 | port:
44 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-loadbalancer-service
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/02-Nginx-App1-LoadBalancer-Service.yml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: app1-nginx-loadbalancer-service
5 | labels:
6 | app: app1-nginx
7 | annotations:
8 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
9 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
10 | external-dns.alpha.kubernetes.io/hostname: extdns-k8s-service-demo101.stacksimplify.com
11 | spec:
12 | type: LoadBalancer
13 | selector:
14 | app: app1-nginx
15 | ports:
16 | - port: 80
17 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.ca-demo-deployment
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.ca-demo-service-nginx
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:27-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: ca-demo-service-nginx
31 | labels:
32 | app: ca-nginx
33 | spec:
34 | type: LoadBalancer
35 | selector:
36 | app: ca-nginx
37 | ports:
38 | - port: 80
39 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-namedbasedvhost-demo
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/04-ALB-Ingress-HostHeader-Routing.yml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service-nlb
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/03-NLB-LoadBalancer-Service.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service-nlb
5 | annotations:
6 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
7 | spec:
8 | type: LoadBalancer # ClusterIp, # NodePort
9 | selector:
10 | app: myapp1
11 | ports:
12 | - name: http
13 | port: 80 # Service Port
14 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/02-CLB-LoadBalancer-Service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service
5 | spec:
6 | type: LoadBalancer # ClusterIp, # NodePort
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.fp-ns-app1.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.fp-ns-app1.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.fp-ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: Role.dev.dev-ns-role
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/02-kube-manifests-rb-r/02-k8s-role-rolebinding-dev-namespace.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | name: dev-ns-role
6 | namespace: dev
7 | rules:
8 | - apiGroups: ["", "extensions", "apps"]
9 | resources: ["*"]
10 | verbs: ["*"]
11 | - apiGroups: ["batch"]
12 | resources:
13 | - jobs
14 | - cronjobs
15 | verbs: ["*"]
16 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.dev.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.eks-console-dashboard-restricted-access-role
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/other-files/eks-console-restricted-access.yaml:28-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
28 | apiVersion: rbac.authorization.k8s.io/v1
29 | kind: Role
30 | metadata:
31 | namespace: default
32 | name: eks-console-dashboard-restricted-access-role
33 | rules:
34 | - apiGroups:
35 | - ""
36 | resources:
37 | - pods
38 | verbs:
39 | - get
40 | - list
41 | - apiGroups:
42 | - apps
43 | resources:
44 | - deployments
45 | - daemonsets
46 | - statefulsets
47 | - replicasets
48 | verbs:
49 | - get
50 | - list
51 | - apiGroups:
52 | - batch
53 | resources:
54 | - jobs
55 | verbs:
56 | - get
57 | - list
58 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.eks-console-dashboard-restricted-access-role-binding
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/other-files/eks-console-restricted-access.yaml:59-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
59 | apiVersion: rbac.authorization.k8s.io/v1
60 | kind: RoleBinding
61 | metadata:
62 | name: eks-console-dashboard-restricted-access-role-binding
63 | namespace: default
64 | subjects:
65 | - kind: Group
66 | name: eks-console-dashboard-restricted-access-group
67 | apiGroup: rbac.authorization.k8s.io
68 | roleRef:
69 | kind: Role
70 | name: eks-console-dashboard-restricted-access-role
71 | apiGroup: rbac.authorization.k8s.io
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-externaldns-demo
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/04-ALB-Ingress-SSL-Redirect-ExternalDNS.yml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-clusterip-service
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-clusterip-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: ClusterIP
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-clusterip-service
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-clusterip-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: ClusterIP
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-clusterip-service
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-clusterip-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: ClusterIP
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-target-type-ip-demo
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/04-ALB-Ingress-target-type-ip.yml:2-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.lbc-network-lb-internal
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/02-LBC-NLB-LoadBalancer-Service.yml:1-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: lbc-network-lb-internal
5 | annotations:
6 | # Traffic Routing
7 | service.beta.kubernetes.io/aws-load-balancer-name: lbc-network-lb-internal
8 | service.beta.kubernetes.io/aws-load-balancer-type: external
9 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
14 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
15 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
16 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
17 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
18 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
22 | # The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal
23 | #service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
24 |
25 | # AWS Resource Tags
26 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
27 | spec:
28 | type: LoadBalancer
29 | selector:
30 | app: app3-nginx
31 | ports:
32 | - port: 80
33 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-ssl-demo
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/04-ALB-Ingress-SSL-Redirect.yml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-ssl-demo
6 | annotations:
7 | # Load Balancer Name
8 | alb.ingress.kubernetes.io/load-balancer-name: ingress-ssl-demo
9 | # Ingress Core Settings
10 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
11 | alb.ingress.kubernetes.io/scheme: internet-facing
12 | # Health Check Settings
13 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
14 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
15 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
16 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
17 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
18 | alb.ingress.kubernetes.io/success-codes: '200'
19 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
20 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
21 | ## SSL Settings
22 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
23 | alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/efc04049-0ddd-4602-8728-6f485dfaa9f9
24 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
25 | # SSL Redirect Setting
26 | alb.ingress.kubernetes.io/ssl-redirect: '443'
27 | spec:
28 | ingressClassName: my-aws-ingress-class # Ingress Class
29 | defaultBackend:
30 | service:
31 | name: app3-nginx-nodeport-service
32 | port:
33 | number: 80
34 | rules:
35 | - http:
36 | paths:
37 | - path: /app1
38 | pathType: Prefix
39 | backend:
40 | service:
41 | name: app1-nginx-nodeport-service
42 | port:
43 | number: 80
44 | - path: /app2
45 | pathType: Prefix
46 | backend:
47 | service:
48 | name: app2-nginx-nodeport-service
49 | port:
50 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-certdiscoveryhost-demo
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/04-ALB-Ingress-CertDiscovery-host.yml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-internal-lb-demo
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/04-ALB-Ingress-Internal-LB.yml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-internal-lb-demo
6 | annotations:
7 | # Load Balancer Name
8 | alb.ingress.kubernetes.io/load-balancer-name: ingress-internal-lb
9 | # Ingress Core Settings
10 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
11 | # Creates External Application Load Balancer
12 | #alb.ingress.kubernetes.io/scheme: internet-facing
13 | # Creates Internal Application Load Balancer
14 | alb.ingress.kubernetes.io/scheme: internal
15 | # Health Check Settings
16 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
17 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
18 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
19 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
20 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
21 | alb.ingress.kubernetes.io/success-codes: '200'
22 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
23 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
24 | spec:
25 | ingressClassName: my-aws-ingress-class # Ingress Class
26 | defaultBackend:
27 | service:
28 | name: app3-nginx-nodeport-service
29 | port:
30 | number: 80
31 | rules:
32 | - http:
33 | paths:
34 | - path: /app1
35 | pathType: Prefix
36 | backend:
37 | service:
38 | name: app1-nginx-nodeport-service
39 | port:
40 | number: 80
41 | - path: /app2
42 | pathType: Prefix
43 | backend:
44 | service:
45 | name: app2-nginx-nodeport-service
46 | port:
47 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | # alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-basics
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/02-ALB-Ingress-Basic.yml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-basics
6 | labels:
7 | app: app3-nginx
8 | annotations:
9 | # Load Balancer Name
10 | alb.ingress.kubernetes.io/load-balancer-name: ingress-basics
11 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource) # Additional Notes: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/ingress_class/#deprecated-kubernetesioingressclass-annotation
12 | # Ingress Core Settings
13 | alb.ingress.kubernetes.io/scheme: internet-facing
14 | # Health Check Settings
15 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
16 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
17 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
18 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
19 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
20 | alb.ingress.kubernetes.io/success-codes: '200'
21 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
22 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
23 | spec:
24 | ingressClassName: my-aws-ingress-class # Ingress Class
25 | defaultBackend:
26 | service:
27 | name: app3-nginx-nodeport-service
28 | port:
29 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-certdiscoverytls-demo
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/04-ALB-Ingress-CertDiscovery-tls.yml:2-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.usermgmt-webapp-nodeport-service
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/09-UserMgmtWebApp-NodePort-Service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: usermgmt-webapp-nodeport-service
5 | spec:
6 | type: NodePort # ClusterIp, # NodePort
7 | selector:
8 | app: usermgmt-webapp
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 8080 # Container Port
13 | nodePort: 31280 # Node Port
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.usermanagement-dbcreation-script
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/03-UserManagement-ConfigMap.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: usermanagement-dbcreation-script
5 | data:
6 | mysql_usermgmt.sql: |-
7 | DROP DATABASE IF EXISTS webappdb;
8 | CREATE DATABASE webappdb;
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.usermgmt-webapp-nlb-service
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/08-UserMgmtWebApp-Network-LoadBalancer.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: usermgmt-webapp-nlb-service
5 | labels:
6 | app: usermgmt-webapp
7 | annotations:
8 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
9 | spec:
10 | type: LoadBalancer # Default - CLB
11 | selector:
12 | app: usermgmt-webapp
13 | ports:
14 | - port: 80
15 | targetPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/05-mysql-clusterip-service.yaml:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: mysql
5 | spec:
6 | selector:
7 | app: mysql
8 | ports:
9 | - port: 3306
10 | clusterIP: None # This means we are going to use Pod IP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.usermgmt-webapp-clb-service
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/07-UserMgmtWebApp-Classic-LoadBalancer-Service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: usermgmt-webapp-clb-service
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | type: LoadBalancer
9 | selector:
10 | app: usermgmt-webapp
11 | ports:
12 | - port: 80 # Service Port
13 | targetPort: 8080 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.vpa-demo-service-nginx
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:27-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: vpa-demo-service-nginx
31 | labels:
32 | app: vpa-nginx
33 | spec:
34 | type: ClusterIP
35 | selector:
36 | app: vpa-nginx
37 | ports:
38 | - port: 80
39 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.extdns-tls-lbc-network-lb
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/02-LBC-NLB-LoadBalancer-Service.yml:1-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: extdns-tls-lbc-network-lb
5 | annotations:
6 | # Traffic Routing
7 | service.beta.kubernetes.io/aws-load-balancer-name: extdns-tls-lbc-network-lb
8 | service.beta.kubernetes.io/aws-load-balancer-type: external
9 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
14 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
15 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
16 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
17 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
18 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
22 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
23 |
24 | # AWS Resource Tags
25 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
26 |
27 | # TLS
28 | service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:180789647333:certificate/d86de939-8ffd-410f-adce-0ce1f5be6e0d
29 | service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443, # Specify this annotation if you need both TLS and non-TLS listeners on the same load balancer
30 | service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
31 | service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
32 |
33 | # External DNS - For creating a Record Set in Route53
34 | external-dns.alpha.kubernetes.io/hostname: nlbdns101.stacksimplify.com
35 | spec:
36 | type: LoadBalancer
37 | selector:
38 | app: app3-nginx
39 | ports:
40 | - name: http
41 | port: 80
42 | targetPort: 80
43 | - name: https
44 | port: 443
45 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service-nlb
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/04-NLB-LoadBalancer-Service.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service-nlb
5 | annotations:
6 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
7 | spec:
8 | type: LoadBalancer # ClusterIp, # NodePort
9 | selector:
10 | app: myapp1
11 | ports:
12 | - name: http
13 | port: 80 # Service Port
14 | targetPort: 80 # Container Port
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-nodeport-service
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/03-NodePort-Service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-nodeport-service
5 | spec:
6 | type: NodePort # ClusterIp, # NodePort, #LoadBalancer
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
13 | nodePort: 31280 # Node Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/02-CLB-LoadBalancer-Service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service
5 | spec:
6 | type: LoadBalancer # ClusterIp, # NodePort
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-cpr
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/04-ALB-Ingress-ContextPath-Based-Routing.yml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-cpr
6 | annotations:
7 | # Load Balancer Name
8 | alb.ingress.kubernetes.io/load-balancer-name: ingress-cpr
9 | # Ingress Core Settings
10 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
11 | alb.ingress.kubernetes.io/scheme: internet-facing
12 | # Health Check Settings
13 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
14 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
15 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
16 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
17 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
18 | alb.ingress.kubernetes.io/success-codes: '200'
19 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
20 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
21 | spec:
22 | ingressClassName: my-aws-ingress-class # Ingress Class
23 | defaultBackend:
24 | service:
25 | name: app3-nginx-nodeport-service
26 | port:
27 | number: 80
28 | rules:
29 | - http:
30 | paths:
31 | - path: /app1
32 | pathType: Prefix
33 | backend:
34 | service:
35 | name: app1-nginx-nodeport-service
36 | port:
37 | number: 80
38 | - path: /app2
39 | pathType: Prefix
40 | backend:
41 | service:
42 | name: app2-nginx-nodeport-service
43 | port:
44 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service-nlb
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/03-NLB-LoadBalancer-Service.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service-nlb
5 | annotations:
6 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
7 | spec:
8 | type: LoadBalancer # ClusterIp, # NodePort
9 | selector:
10 | app: myapp1
11 | ports:
12 | - name: http
13 | port: 80 # Service Port
14 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp1-deployment
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/02-CLB-LoadBalancer-Service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service
5 | spec:
6 | type: LoadBalancer # ClusterIp, # NodePort
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-ssl-demo
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/04-ALB-Ingress-SSL-Redirect.yml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-ssl-demo
6 | annotations:
7 | # Load Balancer Name
8 | alb.ingress.kubernetes.io/load-balancer-name: ingress-ssl-demo
9 | # Ingress Core Settings
10 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
11 | alb.ingress.kubernetes.io/scheme: internet-facing
12 | # Health Check Settings
13 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
14 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
15 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
16 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
17 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
18 | alb.ingress.kubernetes.io/success-codes: '200'
19 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
20 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
21 | ## SSL Settings
22 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
23 | alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/efc04049-0ddd-4602-8728-6f485dfaa9f9
24 | #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
25 | # SSL Redirect Setting
26 | alb.ingress.kubernetes.io/ssl-redirect: '443'
27 | spec:
28 | ingressClassName: my-aws-ingress-class # Ingress Class
29 | defaultBackend:
30 | service:
31 | name: app3-nginx-nodeport-service
32 | port:
33 | number: 80
34 | rules:
35 | - http:
36 | paths:
37 | - path: /app1
38 | pathType: Prefix
39 | backend:
40 | service:
41 | name: app1-nginx-nodeport-service
42 | port:
43 | number: 80
44 | - path: /app2
45 | pathType: Prefix
46 | backend:
47 | service:
48 | name: app2-nginx-nodeport-service
49 | port:
50 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-certdiscoveryhost-demo
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/04-ALB-Ingress-CertDiscovery-host.yml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-internal-lb-demo
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/04-ALB-Ingress-Internal-LB.yml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-internal-lb-demo
6 | annotations:
7 | # Load Balancer Name
8 | alb.ingress.kubernetes.io/load-balancer-name: ingress-internal-lb
9 | # Ingress Core Settings
10 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
11 | # Creates External Application Load Balancer
12 | #alb.ingress.kubernetes.io/scheme: internet-facing
13 | # Creates Internal Application Load Balancer
14 | alb.ingress.kubernetes.io/scheme: internal
15 | # Health Check Settings
16 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
17 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
18 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
19 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
20 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
21 | alb.ingress.kubernetes.io/success-codes: '200'
22 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
23 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
24 | spec:
25 | ingressClassName: my-aws-ingress-class # Ingress Class
26 | defaultBackend:
27 | service:
28 | name: app3-nginx-nodeport-service
29 | port:
30 | number: 80
31 | rules:
32 | - http:
33 | paths:
34 | - path: /app1
35 | pathType: Prefix
36 | backend:
37 | service:
38 | name: app1-nginx-nodeport-service
39 | port:
40 | number: 80
41 | - path: /app2
42 | pathType: Prefix
43 | backend:
44 | service:
45 | name: app2-nginx-nodeport-service
46 | port:
47 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | # alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-basics
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/02-ALB-Ingress-Basic.yml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-basics
6 | labels:
7 | app: app3-nginx
8 | annotations:
9 | # Load Balancer Name
10 | alb.ingress.kubernetes.io/load-balancer-name: ingress-basics
11 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource) # Additional Notes: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/ingress_class/#deprecated-kubernetesioingressclass-annotation
12 | # Ingress Core Settings
13 | alb.ingress.kubernetes.io/scheme: internet-facing
14 | # Health Check Settings
15 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
16 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
17 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
18 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
19 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
20 | alb.ingress.kubernetes.io/success-codes: '200'
21 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
22 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
23 | spec:
24 | ingressClassName: my-aws-ingress-class # Ingress Class
25 | defaultBackend:
26 | service:
27 | name: app3-nginx-nodeport-service
28 | port:
29 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ns-app2.app2-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ns-app1.app1-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ns-app3.app3-nginx-deployment
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-certdiscoverytls-demo
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/04-ALB-Ingress-CertDiscovery-tls.yml:2-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.usermgmt-webapp-nodeport-service
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/09-UserMgmtWebApp-NodePort-Service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: usermgmt-webapp-nodeport-service
5 | spec:
6 | type: NodePort # ClusterIp, # NodePort
7 | selector:
8 | app: usermgmt-webapp
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 8080 # Container Port
13 | nodePort: 31280 # Node Port
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.usermanagement-dbcreation-script
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/03-UserManagement-ConfigMap.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: usermanagement-dbcreation-script
5 | data:
6 | mysql_usermgmt.sql: |-
7 | DROP DATABASE IF EXISTS webappdb;
8 | CREATE DATABASE webappdb;
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.usermgmt-webapp-nlb-service
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/08-UserMgmtWebApp-Network-LoadBalancer.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: usermgmt-webapp-nlb-service
5 | labels:
6 | app: usermgmt-webapp
7 | annotations:
8 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
9 | spec:
10 | type: LoadBalancer # Default - CLB
11 | selector:
12 | app: usermgmt-webapp
13 | ports:
14 | - port: 80
15 | targetPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/05-mysql-clusterip-service.yaml:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: mysql
5 | spec:
6 | selector:
7 | app: mysql
8 | ports:
9 | - port: 3306
10 | clusterIP: None # This means we are going to use Pod IP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.usermgmt-webapp-clb-service
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/07-UserMgmtWebApp-Classic-LoadBalancer-Service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: usermgmt-webapp-clb-service
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | type: LoadBalancer
9 | selector:
10 | app: usermgmt-webapp
11 | ports:
12 | - port: 80 # Service Port
13 | targetPort: 8080 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.vpa-demo-deployment
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.vpa-demo-service-nginx
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:27-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: vpa-demo-service-nginx
31 | labels:
32 | app: vpa-nginx
33 | spec:
34 | type: ClusterIP
35 | selector:
36 | app: vpa-nginx
37 | ports:
38 | - port: 80
39 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.extdns-tls-lbc-network-lb
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/02-LBC-NLB-LoadBalancer-Service.yml:1-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: extdns-tls-lbc-network-lb
5 | annotations:
6 | # Traffic Routing
7 | service.beta.kubernetes.io/aws-load-balancer-name: extdns-tls-lbc-network-lb
8 | service.beta.kubernetes.io/aws-load-balancer-type: external
9 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
10 | #service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet ## Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.
11 |
12 | # Health Check Settings
13 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
14 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
15 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
16 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
17 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
18 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" # The controller currently ignores the timeout configuration due to the limitations on the AWS NLB. The default timeout for TCP is 10s and HTTP is 6s.
19 |
20 | # Access Control
21 | service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
22 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
23 |
24 | # AWS Resource Tags
25 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
26 |
27 | # TLS
28 | service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:180789647333:certificate/d86de939-8ffd-410f-adce-0ce1f5be6e0d
29 | service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443, # Specify this annotation if you need both TLS and non-TLS listeners on the same load balancer
30 | service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
31 | service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
32 |
33 | # External DNS - For creating a Record Set in Route53
34 | external-dns.alpha.kubernetes.io/hostname: nlbdns101.stacksimplify.com
35 | spec:
36 | type: LoadBalancer
37 | selector:
38 | app: app3-nginx
39 | ports:
40 | - name: http
41 | port: 80
42 | targetPort: 80
43 | - name: https
44 | port: 443
45 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service-nlb
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/04-NLB-LoadBalancer-Service.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service-nlb
5 | annotations:
6 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
7 | spec:
8 | type: LoadBalancer # ClusterIp, # NodePort
9 | selector:
10 | app: myapp1
11 | ports:
12 | - name: http
13 | port: 80 # Service Port
14 | targetPort: 80 # Container Port
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-nodeport-service
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/03-NodePort-Service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-nodeport-service
5 | spec:
6 | type: NodePort # ClusterIp, # NodePort, #LoadBalancer
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
13 | nodePort: 31280 # Node Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp1-deployment
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/02-CLB-LoadBalancer-Service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service
5 | spec:
6 | type: LoadBalancer # ClusterIp, # NodePort
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-cpr
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/04-ALB-Ingress-ContextPath-Based-Routing.yml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: ingress-cpr
6 | annotations:
7 | # Load Balancer Name
8 | alb.ingress.kubernetes.io/load-balancer-name: ingress-cpr
9 | # Ingress Core Settings
10 | #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
11 | alb.ingress.kubernetes.io/scheme: internet-facing
12 | # Health Check Settings
13 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
14 | alb.ingress.kubernetes.io/healthcheck-port: traffic-port
15 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
16 | alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
17 | alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
18 | alb.ingress.kubernetes.io/success-codes: '200'
19 | alb.ingress.kubernetes.io/healthy-threshold-count: '2'
20 | alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
21 | spec:
22 | ingressClassName: my-aws-ingress-class # Ingress Class
23 | defaultBackend:
24 | service:
25 | name: app3-nginx-nodeport-service
26 | port:
27 | number: 80
28 | rules:
29 | - http:
30 | paths:
31 | - path: /app1
32 | pathType: Prefix
33 | backend:
34 | service:
35 | name: app1-nginx-nodeport-service
36 | port:
37 | number: 80
38 | - path: /app2
39 | pathType: Prefix
40 | backend:
41 | service:
42 | name: app2-nginx-nodeport-service
43 | port:
44 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app1-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app1-nginx-nodeport-service
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app1-nginx-nodeport-service
27 | labels:
28 | app: app1-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app1-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app2-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app2-nginx-nodeport-service
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app2-nginx-nodeport-service
27 | labels:
28 | app: app2-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /app2/index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app2-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app3-nginx-deployment
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app3-nginx-nodeport-service
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:23-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: app3-nginx-nodeport-service
27 | labels:
28 | app: app3-nginx
29 | annotations:
30 | #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
31 | alb.ingress.kubernetes.io/healthcheck-path: /index.html
32 | spec:
33 | type: NodePort
34 | selector:
35 | app: app3-nginx
36 | ports:
37 | - port: 80
38 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service-nlb
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/03-NLB-LoadBalancer-Service.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service-nlb
5 | annotations:
6 | service.beta.kubernetes.io/aws-load-balancer-type: nlb # To create Network Load Balancer
7 | spec:
8 | type: LoadBalancer # ClusterIp, # NodePort
9 | selector:
10 | app: myapp1
11 | ports:
12 | - name: http
13 | port: 80 # Service Port
14 | targetPort: 80 # Container Port
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp1-deployment
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp1-lb-service
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/02-CLB-LoadBalancer-Service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: myapp1-lb-service
5 | spec:
6 | type: LoadBalancer # ClusterIp, # NodePort
7 | selector:
8 | app: myapp1
9 | ports:
10 | - name: http
11 | port: 80 # Service Port
12 | targetPort: 80 # Container Port
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx-deployment
File: /52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ca-demo-deployment.app-ca-nginx
File: /51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.curl-pod
File: /42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/40-EKS-NLB-Basics/04-kube-manifests-nlb-basics/01-Nginx-App3-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx-deployment
File: /BACKUP-BEFORE-MAY2023/52-EKS-Horizontal-Pod-Autoscaler/03-hpa-demo-yaml/01-deployment.yaml:1-24
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: app3-nginx-deployment
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: app3-nginx-deployment
14 | spec:
15 | containers:
16 | - name: app3-nginx-deployment
17 | image: k8s.gcr.io/hpa-example
18 | ports:
19 | - containerPort: 80
20 | resources:
21 | limits:
22 | cpu: 500m
23 | requests:
24 | cpu: 200m
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/36-EKS-Ingress-Groups/04-kube-manifests-ingress-groups/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/32-EKS-ExternalDNS-with-k8s-Service/04-kube-manifests-k8sService-externaldns/01-Nginx-App1-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ca-demo-deployment.app-ca-nginx
File: /BACKUP-BEFORE-MAY2023/51-EKS-Cluster-Autoscaler-Testing/03-cluster-autoscaler-sample-app/cluster-autoscaler-sample-app.yaml:1-26
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: ca-demo-deployment
5 | labels:
6 | app: ca-nginx
7 | spec:
8 | replicas: 30
9 | selector:
10 | matchLabels:
11 | app: ca-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: ca-nginx
16 | spec:
17 | containers:
18 | - name: ca-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "200m"
25 | memory: "200Mi"
26 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/33-EKS-Ingress-NameBasedVirtualHost-Routing/04-kube-manifests-ingress-nvhr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /BACKUP-BEFORE-MAY2023/55-EKS-Monitoring-Logging-Terraform/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-30
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: "2048Mi"
26 | cpu: "1000m"
27 | limits:
28 | memory: "4096Mi"
29 | cpu: "2000m"
30 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/44-EKS-Run-k8s-workloads-on-Fargate/05-kube-manifests-Run-On-Fargate/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: fp-ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /BACKUP-BEFORE-MAY2023/25-EKS-DeveloperAccess-IAM-Users/03-app1-kube-manifests/01-Deployment.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | namespace: dev
6 | spec: # Dictionary
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: myapp1
11 | template:
12 | metadata: # Dictionary
13 | name: myapp1-pod
14 | labels: # Dictionary
15 | app: myapp1 # Key value pairs
16 | spec:
17 | containers: # List
18 | - name: myapp1-container
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/31-EKS-ExternalDNS-with-Ingress-Service/04-kube-manifests-ingress-externaldns/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/02-Nginx-App2-Deployment-and-ClusterIPService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/03-Nginx-App3-Deployment-and-ClusterIPService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/37-EKS-Ingress-TargetType-IP/04-kube-manifests-ingress-TargetType-IP/01-Nginx-App1-Deployment-and-ClusterIPService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/42-EKS-NLB-InternalLB/04-kube-manifests-nlb-internal/01-Nginx-App3-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.curl-pod
File: /BACKUP-BEFORE-MAY2023/38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.usermgmt-webapp.app-usermgmt-webapp
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mysql.app-mysql
File: /BACKUP-BEFORE-MAY2023/15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.vpa-demo-deployment.app-vpa-nginx
File: /BACKUP-BEFORE-MAY2023/53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /BACKUP-BEFORE-MAY2023/10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /BACKUP-BEFORE-MAY2023/28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /BACKUP-BEFORE-MAY2023/54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /29-EKS-Ingress-SSL-SSLRedirect/03-kube-manifests-Ingress-SSL/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /34-EKS-Ingress-SSLDiscovery-Host/04-kube-manifests-SSLDiscoveryHost/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /38-EKS-Ingress-InternalLB/04-kube-manifests-ingress-InternalLB/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.curl-pod
File: /38-EKS-Ingress-InternalLB/05-kube-manifests-curl/01-curl-pod.yml:1-9
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: curl-pod
5 | spec:
6 | containers:
7 | - name: curl
8 | image: curlimages/curl
9 | command: [ "sleep", "600" ]
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /27-EKS-Ingress-Basics/03-kube-manifests-ingress-basics/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app2/01-Nginx-App2-Deployment-and-NodePortService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | namespace: ns-app2
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app2-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app2-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kube-nginxapp2:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app1/01-Nginx-App1-Deployment-and-NodePortService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | namespace: ns-app1
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app1-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app1-nginx
17 | spec:
18 | containers:
19 | - name: app1-nginx
20 | image: stacksimplify/kube-nginxapp1:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /39-EKS-Ingress-Cross-Namespaces/04-kube-manifests-ingress-cross-ns/app3/01-Nginx-App3-Deployment-and-NodePortService.yml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | namespace: ns-app3
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: app3-nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: app3-nginx
17 | spec:
18 | containers:
19 | - name: app2-nginx
20 | image: stacksimplify/kubenginx:1.0.0
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /35-EKS-Ingress-SSLDiscovery-TLS/04-kube-manifests-SSLDiscoveryTLS/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.usermgmt-webapp.app-usermgmt-webapp
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/06-UserMgmtWebApp-Deployment.yaml:1-37
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: usermgmt-webapp
5 | labels:
6 | app: usermgmt-webapp
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: usermgmt-webapp
12 | template:
13 | metadata:
14 | labels:
15 | app: usermgmt-webapp
16 | spec:
17 | initContainers:
18 | - name: init-db
19 | image: busybox:1.31
20 | command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL DB Server has started";']
21 | containers:
22 | - name: usermgmt-webapp
23 | image: stacksimplify/kube-usermgmt-webapp:1.0.0-MySQLDB
24 | imagePullPolicy: Always
25 | ports:
26 | - containerPort: 8080
27 | env:
28 | - name: DB_HOSTNAME
29 | value: "mysql"
30 | - name: DB_PORT
31 | value: "3306"
32 | - name: DB_NAME
33 | value: "webappdb"
34 | - name: DB_USERNAME
35 | value: "root"
36 | - name: DB_PASSWORD
37 | value: "dbpassword11"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mysql.app-mysql
File: /15-EBS-Kubernetes-SampleApp-YAML/03-kube-manifests-UMS-WebApp/04-mysql-deployment.yaml:1-37
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | strategy:
11 | type: Recreate
12 | template:
13 | metadata:
14 | labels:
15 | app: mysql
16 | spec:
17 | containers:
18 | - name: mysql
19 | image: mysql:5.6
20 | env:
21 | - name: MYSQL_ROOT_PASSWORD
22 | value: dbpassword11
23 | ports:
24 | - containerPort: 3306
25 | name: mysql
26 | volumeMounts:
27 | - name: mysql-persistent-storage
28 | mountPath: /var/lib/mysql
29 | - name: usermanagement-dbcreation-script
30 | mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
31 | volumes:
32 | - name: mysql-persistent-storage
33 | persistentVolumeClaim:
34 | claimName: ebs-mysql-pv-claim
35 | - name: usermanagement-dbcreation-script
36 | configMap:
37 | name: usermanagement-dbcreation-script
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.vpa-demo-deployment.app-vpa-nginx
File: /53-EKS-Vertical-Pod-Autoscaler-Install/04-vpa-demo-yaml/01-vpa-demo-app.yaml:1-26
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: vpa-demo-deployment
5 | labels:
6 | app: vpa-nginx
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: vpa-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: vpa-nginx
16 | spec:
17 | containers:
18 | - name: vpa-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | cpu: "5m"
25 | memory: "5Mi"
26 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /41-EKS-NLB-TLS-externaldns/04-kube-manifests-nlb-tls-externaldns/01-Nginx-App3-Deployment.yml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /10-Kubernetes-Deployment-and-Service/kube-manifests/01-Deployment.yaml:1-20
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app1-nginx-deployment.app-app1-nginx
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/01-Nginx-App1-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app1-nginx-deployment
5 | labels:
6 | app: app1-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app1-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app1-nginx
16 | spec:
17 | containers:
18 | - name: app1-nginx
19 | image: stacksimplify/kube-nginxapp1:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app2-nginx-deployment.app-app2-nginx
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/02-Nginx-App2-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app2-nginx-deployment
5 | labels:
6 | app: app2-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app2-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app2-nginx
16 | spec:
17 | containers:
18 | - name: app2-nginx
19 | image: stacksimplify/kube-nginxapp2:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app3-nginx-deployment.app-app3-nginx
File: /28-EKS-Ingress-Context-Path-Routing/03-kube-manifests-ingress-cpr/03-Nginx-App3-Deployment-and-NodePortService.yml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: app3-nginx-deployment
5 | labels:
6 | app: app3-nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: app3-nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: app3-nginx
16 | spec:
17 | containers:
18 | - name: app3-nginx
19 | image: stacksimplify/kubenginx:1.0.0
20 | ports:
21 | - containerPort: 80
22 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.myapp1-pod
File: /54-EKS-Monitoring-Logging-kubectl/03-sample-app-test-container-insights/01-Deployment.yaml:1-20
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata: #Dictionary
4 | name: myapp1-deployment
5 | spec: # Dictionary
6 | replicas: 2
7 | selector:
8 | matchLabels:
9 | app: myapp1
10 | template:
11 | metadata: # Dictionary
12 | name: myapp1-pod
13 | labels: # Dictionary
14 | app: myapp1 # Key value pairs
15 | spec:
16 | containers: # List
17 | - name: myapp1-container
18 | image: stacksimplify/kubenginx:1.0.0
19 | ports:
20 | - containerPort: 80
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools