Repository | ViktorUJ / cks |
Description | Opensource Platform for learning kubernetes and aws eks and preparation for for Certified Kubernetes Specialist (CKA ,CKS , CKAD) exams |
Stars | 199 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 101, Failed checks: 37, Skipped checks: 0
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ClusterAutoScaler
File: /terraform/modules/eks/eks_iam.tf:21-45
21 | resource "aws_iam_policy" "ClusterAutoScaler" {
22 | name = "${var.aws}-${var.prefix}-eks"
23 | path = "/"
24 | description = ""
25 | policy = <> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.metadata-access.metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-yellow.deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-yellow.deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod-stack-1.backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod-stack-1.frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:31-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
31 | apiVersion: v1
32 | kind: Service
33 | metadata:
34 | labels:
35 | app: image-bouncer-webhook
36 | name: image-bouncer-webhook
37 | spec:
38 | type: NodePort
39 | ports:
40 | - name: https
41 | port: 443
42 | targetPort: 1323
43 | protocol: "TCP"
44 | nodePort: 30020
45 | selector:
46 | app: image-bouncer-webhook
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_82: "Ensure that the admission control plugin ServiceAccount is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-serviceaccount-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_90: "Ensure that the --profiling argument is set to false"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_91: "Ensure that the --audit-log-path argument is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_80: "Ensure that the admission control plugin AlwaysPullImages is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_88: "Ensure that the --insecure-port argument is set to 0"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-insecure-port-argument-is-set-to-0.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_73: "Ensure that the --kubelet-certificate-authority argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-certificate-authority-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_84: "Ensure that the admission control plugin PodSecurityPolicy is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-podsecuritypolicy-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_68: "Ensure that the --anonymous-auth argument is set to false"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_94: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_96: "Ensure that the --service-account-lookup argument is set to true"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-lookup-argument-is-set-to-true.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_97: "Ensure that the --service-account-key-file argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-key-file-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_81: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_92: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_104: "Ensure that encryption providers are appropriately configured"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-etcd-cafile-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_93: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_83: "Ensure that the admission control plugin NamespaceLifecycle is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-namespacelifecycle-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.restricted.deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.restricted.deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.restricted.deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.secure.secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-red.container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:31-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
31 | apiVersion: v1
32 | kind: Service
33 | metadata:
34 | labels:
35 | app: image-bouncer-webhook
36 | name: image-bouncer-webhook
37 | spec:
38 | type: NodePort
39 | ports:
40 | - name: https
41 | port: 443
42 | targetPort: 1323
43 | protocol: "TCP"
44 | nodePort: 30020
45 | selector:
46 | app: image-bouncer-webhook
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-xxx.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-xxx.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-xxx.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-xxx.deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-purple.deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-purple.deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.team-purple.deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:8-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | spec:
16 | replicas: 2
17 | selector:
18 | matchLabels:
19 | app: deployment1
20 | strategy: {}
21 | template:
22 | metadata:
23 | creationTimestamp: null
24 | labels:
25 | app: deployment1
26 | spec:
27 | nodeSelector:
28 | work_type: falco
29 | containers:
30 | - image: httpd
31 | name: httpd
32 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
33 | resources: {}
34 |
35 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.blue-team.deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod.deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_82: "Ensure that the admission control plugin ServiceAccount is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-serviceaccount-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_90: "Ensure that the --profiling argument is set to false"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_91: "Ensure that the --audit-log-path argument is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_80: "Ensure that the admission control plugin AlwaysPullImages is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_88: "Ensure that the --insecure-port argument is set to 0"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-insecure-port-argument-is-set-to-0.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_73: "Ensure that the --kubelet-certificate-authority argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-certificate-authority-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_84: "Ensure that the admission control plugin PodSecurityPolicy is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-podsecuritypolicy-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_68: "Ensure that the --anonymous-auth argument is set to false"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_94: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_96: "Ensure that the --service-account-lookup argument is set to true"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-lookup-argument-is-set-to-true.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_97: "Ensure that the --service-account-key-file argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-key-file-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_81: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_92: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_104: "Ensure that encryption providers are appropriately configured"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-etcd-cafile-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_93: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_83: "Ensure that the admission control plugin NamespaceLifecycle is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-namespacelifecycle-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.prod-db.mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: RoleBinding.restricted.k8api
File: /tasks/cks/labs/12/scripts/task.yaml:30-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: RoleBinding
32 | metadata:
33 | creationTimestamp: null
34 | name: k8api
35 | namespace: restricted
36 | roleRef:
37 | apiGroup: rbac.authorization.k8s.io
38 | kind: Role
39 | name: k8api
40 | subjects:
41 | - kind: ServiceAccount
42 | name: k8api
43 | namespace: restricted
44 |
45 | ---
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: ClusterRoleBinding.prod.k8api
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:57-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
57 | apiVersion: rbac.authorization.k8s.io/v1
58 | kind: ClusterRoleBinding
59 | metadata:
60 | creationTimestamp: null
61 | name: k8api
62 | namespace: prod
63 | roleRef:
64 | apiGroup: rbac.authorization.k8s.io
65 | kind: ClusterRole
66 | name: k8api
67 | subjects:
68 | - kind: ServiceAccount
69 | name: k8api
70 | namespace: prod
71 |
72 |
73 | ---
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: ClusterRoleBinding.prod.k8api
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:48-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
48 | apiVersion: rbac.authorization.k8s.io/v1
49 | kind: ClusterRoleBinding
50 | metadata:
51 | creationTimestamp: null
52 | name: k8api
53 | namespace: prod
54 | roleRef:
55 | apiGroup: rbac.authorization.k8s.io
56 | kind: ClusterRole
57 | name: k8api
58 | subjects:
59 | - kind: ServiceAccount
60 | name: k8api
61 | namespace: prod
62 |
63 |
64 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/labs/02/scripts/task.yaml:36-64
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment2.app-deployment2
File: /tasks/cks/labs/02/scripts/task.yaml:65-92
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment3.app-deployment3
File: /tasks/cks/labs/02/scripts/task.yaml:93-120
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment4.app-deployment4
File: /tasks/cks/labs/02/scripts/task.yaml:121-146
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.metadata-access.all-pod
File: /tasks/cks/labs/13/scripts/task.yaml:8-26
8 | apiVersion: v1
9 | kind: Pod
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | run: all-pod
14 | role: pod-all
15 | name: all-pod
16 | namespace: metadata-access
17 | spec:
18 | containers:
19 | - image: viktoruj/cks-lab
20 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
21 | name: all-pod
22 | resources: {}
23 | dnsPolicy: ClusterFirst
24 | restartPolicy: Always
25 |
26 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.metadata-access.metadata-accessor
File: /tasks/cks/labs/13/scripts/task.yaml:27-44
27 | apiVersion: v1
28 | kind: Pod
29 | metadata:
30 | creationTimestamp: null
31 | labels:
32 | run: metadata-accessor
33 | role: metadata-accessor
34 | name: metadata-accessor
35 | namespace: metadata-access
36 | spec:
37 | containers:
38 | - image: viktoruj/cks-lab
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
40 | name: metadata-accessor
41 | resources: {}
42 | dnsPolicy: ClusterFirst
43 | restartPolicy: Always
44 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.metadata-server.app-metadata-server
File: /tasks/cks/labs/13/scripts/task.yaml:70-101
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | creationTimestamp: null
74 | labels:
75 | app: metadata-server
76 | name: metadata-server
77 | namespace: metadata-access
78 | spec:
79 | replicas: 1
80 | selector:
81 | matchLabels:
82 | app: metadata-server
83 | strategy: {}
84 | template:
85 | metadata:
86 | creationTimestamp: null
87 | labels:
88 | app: metadata-server
89 | spec:
90 | volumes:
91 | - name: index
92 | configMap:
93 | name: index.html
94 | containers:
95 | - image: nginx
96 | name: nginx
97 | volumeMounts:
98 | - name: index
99 | mountPath: /usr/share/nginx/html/
100 |
101 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kubernetes-dashboard.k8s-app-kubernetes-dashboard
File: /tasks/cks/labs/08/scripts/task.yaml:180-250
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.dashboard-metrics-scraper.k8s-app-dashboard-metrics-scraper
File: /tasks/cks/labs/08/scripts/task.yaml:268-319
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx.app-nginx
File: /tasks/cks/labs/19/scripts/deployment.yaml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx
7 | name: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx
19 | spec:
20 | containers:
21 | - image: busybox
22 | name: busybox
23 | command: ['sh', '-c', 'tail -f /dev/null']
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.task16.app-task16
File: /tasks/cks/labs/16/scripts/task.yaml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: task16
7 | name: task16
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: task16
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: task16
19 | spec:
20 | containers:
21 | - image: viktoruj/cks-lab:16
22 | name: cks-lab
23 | resources: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/labs/14/scripts/task.yaml:8-31
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: deployment1
14 | name: deployment1
15 | namespace: team-yellow
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: deployment1
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: deployment1
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab:cks_14_app1
30 | name: busybox
31 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment2.app-deployment2
File: /tasks/cks/labs/14/scripts/task.yaml:32-54
32 | apiVersion: apps/v1
33 | kind: Deployment
34 | metadata:
35 | creationTimestamp: null
36 | labels:
37 | app: deployment2
38 | name: deployment2
39 | namespace: team-yellow
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: deployment2
45 | strategy: {}
46 | template:
47 | metadata:
48 | creationTimestamp: null
49 | labels:
50 | app: deployment2
51 | spec:
52 | containers:
53 | - image: viktoruj/cks-lab:cks_14_app2
54 | name: busybox
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mysql.app-mysql
File: /tasks/cks/labs/201/scripts/task.yaml:30-61
30 | apiVersion: apps/v1
31 | kind: Deployment
32 | metadata:
33 | creationTimestamp: null
34 | labels:
35 | app: mysql
36 | name: mysql
37 | namespace: prod-db
38 | spec:
39 | replicas: 1
40 | selector:
41 | matchLabels:
42 | app: mysql
43 | strategy: {}
44 | template:
45 | metadata:
46 | creationTimestamp: null
47 | labels:
48 | app: mysql
49 | spec:
50 | volumes:
51 | - name: index
52 | configMap:
53 | name: db-index.html
54 | containers:
55 | - image: nginx
56 | name: nginx
57 | volumeMounts:
58 | - name: index
59 | mountPath: /usr/share/nginx/html/
60 |
61 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.backend.app-backend
File: /tasks/cks/labs/201/scripts/task.yaml:107-138
107 | apiVersion: apps/v1
108 | kind: Deployment
109 | metadata:
110 | creationTimestamp: null
111 | labels:
112 | app: backend
113 | name: backend
114 | namespace: prod-stack-1
115 | spec:
116 | replicas: 1
117 | selector:
118 | matchLabels:
119 | app: backend
120 | strategy: {}
121 | template:
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | app: backend
126 | spec:
127 | volumes:
128 | - name: index
129 | configMap:
130 | name: backend-index.html
131 | containers:
132 | - image: nginx
133 | name: nginx
134 | volumeMounts:
135 | - name: index
136 | mountPath: /usr/share/nginx/html/
137 |
138 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.frontend.app-frontend
File: /tasks/cks/labs/201/scripts/task.yaml:179-210
179 | apiVersion: apps/v1
180 | kind: Deployment
181 | metadata:
182 | creationTimestamp: null
183 | labels:
184 | app: frontend
185 | name: frontend
186 | namespace: prod-stack-1
187 | spec:
188 | replicas: 1
189 | selector:
190 | matchLabels:
191 | app: frontend
192 | strategy: {}
193 | template:
194 | metadata:
195 | creationTimestamp: null
196 | labels:
197 | app: frontend
198 | spec:
199 | volumes:
200 | - name: index
201 | configMap:
202 | name: frontend-index.html
203 | containers:
204 | - image: nginx
205 | name: nginx
206 | volumeMounts:
207 | - name: index
208 | mountPath: /usr/share/nginx/html/
209 |
210 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/labs/201/scripts/task.yaml:234-250
234 | apiVersion: v1
235 | kind: Pod
236 | metadata:
237 | creationTimestamp: null
238 | labels:
239 | run: all-pod
240 | role: pod-all
241 | name: all-pod
242 | namespace: user-client
243 | spec:
244 | containers:
245 | - image: viktoruj/cks-lab
246 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
247 | name: all-pod
248 | resources: {}
249 | dnsPolicy: ClusterFirst
250 | restartPolicy: Always
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.image-bouncer-webhook.app-image-bouncer-webhook
File: /tasks/cks/labs/203/scripts/task.yaml:1-30
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cks/labs/03/scripts/kube-apiserver.yaml:1-120
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.container-host-hacker.app-container-host-hacker
File: /tasks/cks/labs/04/scripts/task.yaml:9-44
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/labs/12/scripts/task.yaml:73-107
73 | apiVersion: apps/v1
74 | kind: Deployment
75 | metadata:
76 | creationTimestamp: null
77 | labels:
78 | app: deployment1
79 | name: deployment1
80 | namespace: restricted
81 | spec:
82 | replicas: 1
83 | selector:
84 | matchLabels:
85 | app: deployment1
86 | strategy: {}
87 | template:
88 | metadata:
89 | creationTimestamp: null
90 | labels:
91 | app: deployment1
92 | spec:
93 | volumes:
94 | - name: secret
95 | secret:
96 | secretName: secret1
97 | optional: true
98 | containers:
99 | - image: viktoruj/cks-lab
100 | name: busybox
101 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
102 | volumeMounts:
103 | - name: secret
104 | mountPath: "/var/secret"
105 | readOnly: true
106 |
107 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment2.app-deployment2
File: /tasks/cks/labs/12/scripts/task.yaml:108-139
108 | apiVersion: apps/v1
109 | kind: Deployment
110 | metadata:
111 | creationTimestamp: null
112 | labels:
113 | app: deployment2
114 | name: deployment2
115 | namespace: restricted
116 | spec:
117 | replicas: 1
118 | selector:
119 | matchLabels:
120 | app: deployment2
121 | strategy: {}
122 | template:
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment2
127 | spec:
128 | containers:
129 | - image: viktoruj/cks-lab
130 | name: busybox
131 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
132 | env:
133 | - name: SECRET_USERNAME
134 | valueFrom:
135 | secretKeyRef:
136 | name: secret2
137 | key: secret
138 |
139 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment3.app-deployment3
File: /tasks/cks/labs/12/scripts/task.yaml:140-164
140 | apiVersion: apps/v1
141 | kind: Deployment
142 | metadata:
143 | creationTimestamp: null
144 | labels:
145 | app: deployment3
146 | name: deployment3
147 | namespace: restricted
148 | spec:
149 | replicas: 1
150 | selector:
151 | matchLabels:
152 | app: deployment3
153 | strategy: {}
154 | template:
155 | metadata:
156 | creationTimestamp: null
157 | labels:
158 | app: deployment3
159 | spec:
160 | serviceAccountName: k8api
161 | containers:
162 | - image: viktoruj/cks-lab
163 | name: busybox
164 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mysql.app-mysql
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:46-77
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:102-119
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:120-136
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:137-153
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:155-172
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cks/mock/01/k8s-6/scripts/task1.yaml:174-189
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.secure.app-secure
File: /tasks/cks/mock/01/k8s-6/scripts/task10.yaml:8-41
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | creationTimestamp: null
12 | labels:
13 | app: secure
14 | name: secure
15 | namespace: secure
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: secure
21 | strategy: {}
22 | template:
23 | metadata:
24 | creationTimestamp: null
25 | labels:
26 | app: secure
27 | spec:
28 | containers:
29 | - image: viktoruj/cks-lab
30 | name: c1
31 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c1 . $(id)"; sleep 10 ;done']
32 | resources: {}
33 | - image: viktoruj/cks-lab
34 | name: c2
35 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c2 . $(id)"; sleep 10 ;done']
36 | resources: {}
37 | - image: viktoruj/cks-lab
38 | name: c3
39 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working . c3 . $(id)"; sleep 10 ;done']
40 | resources: {}
41 | status: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.container-host-hacker.app-container-host-hacker
File: /tasks/cks/mock/01/k8s-6/scripts/task15.yaml:9-44
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: container-host-hacker
15 | name: container-host-hacker
16 | namespace: team-red
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: container-host-hacker
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: container-host-hacker
28 | spec:
29 | volumes:
30 | - name: host
31 | hostPath:
32 | # directory location on host
33 | path: /run/containerd
34 | # this field is optional
35 | type: Directory
36 |
37 | containers:
38 | - image: viktoruj/cks-lab
39 | name: busybox
40 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
41 | volumeMounts:
42 | - name: host
43 | mountPath: "/run/containerd"
44 | readOnly: false
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.image-bouncer-webhook.app-image-bouncer-webhook
File: /tasks/cks/mock/01/k8s-8/scripts/task1.yaml:1-30
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: image-bouncer-webhook
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: image-bouncer-webhook
9 | template:
10 | metadata:
11 | labels:
12 | app: image-bouncer-webhook
13 | spec:
14 | containers:
15 | - name: image-bouncer-webhook
16 | imagePullPolicy: Always
17 | image: "kainlite/kube-image-bouncer:latest"
18 | args:
19 | - "--cert=/etc/admission-controller/tls/tls.crt"
20 | - "--key=/etc/admission-controller/tls/tls.key"
21 | - "--debug"
22 | - "--registry-whitelist=docker.io"
23 | volumeMounts:
24 | - name: tls
25 | mountPath: /etc/admission-controller/tls
26 | volumes:
27 | - name: tls
28 | secret:
29 | secretName: tls-image-bouncer-webhook
30 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment3.app-deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:9-35
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment3
15 | name: deployment3
16 | namespace: team-xxx
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment3
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment3
28 | spec:
29 | containers:
30 | - image: mysql:8.0.33-debian
31 | name: mysql
32 | env:
33 | - name: MYSQL_ROOT_PASSWORD
34 | value: "my-secret-pw"
35 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment2.app-deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:36-66
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment2
42 | name: deployment2
43 | namespace: team-xxx
44 | spec:
45 | replicas: 1
46 | selector:
47 | matchLabels:
48 | app: deployment2
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment2
55 | spec:
56 | containers:
57 | - image: mariadb:10.8-focal
58 | name: mariadb
59 | env:
60 | - name: MARIADB_USER
61 | value: "example-user"
62 | - name: MARIADB_PASSWORD
63 | value: "my_cool_secret"
64 | - name: MARIADB_ROOT_PASSWORD
65 | value: "my-secret-pw"
66 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:67-90
67 | apiVersion: apps/v1
68 | kind: Deployment
69 | metadata:
70 | creationTimestamp: null
71 | labels:
72 | app: deployment1
73 | name: deployment1
74 | namespace: team-xxx
75 | spec:
76 | replicas: 1
77 | selector:
78 | matchLabels:
79 | app: deployment1
80 | strategy: {}
81 | template:
82 | metadata:
83 | creationTimestamp: null
84 | labels:
85 | app: deployment1
86 | spec:
87 | containers:
88 | - image: nginx:1.19-alpine-perl
89 | name: nginx
90 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment4.app-deployment4
File: /tasks/cks/mock/01/k8s-1/scripts/task2.yaml:91-113
91 | apiVersion: apps/v1
92 | kind: Deployment
93 | metadata:
94 | creationTimestamp: null
95 | labels:
96 | app: deployment4
97 | name: deployment4
98 | namespace: team-xxx
99 | spec:
100 | replicas: 1
101 | selector:
102 | matchLabels:
103 | app: deployment4
104 | strategy: {}
105 | template:
106 | metadata:
107 | creationTimestamp: null
108 | labels:
109 | app: deployment4
110 | spec:
111 | containers:
112 | - image: nginx:1.23-bullseye-perl
113 | name: nginx
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:9-33
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | creationTimestamp: null
13 | labels:
14 | app: deployment1
15 | name: deployment1
16 | namespace: team-purple
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: deployment1
22 | strategy: {}
23 | template:
24 | metadata:
25 | creationTimestamp: null
26 | labels:
27 | app: deployment1
28 | spec:
29 | containers:
30 | - image: viktoruj/cks-lab
31 | name: busybox
32 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
33 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment2.app-deployment2
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:35-60
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | creationTimestamp: null
39 | labels:
40 | app: deployment2
41 | name: deployment2
42 | namespace: team-purple
43 | spec:
44 | replicas: 1
45 | selector:
46 | matchLabels:
47 | app: deployment2
48 | strategy: {}
49 | template:
50 | metadata:
51 | creationTimestamp: null
52 | labels:
53 | app: deployment2
54 | spec:
55 | containers:
56 | - image: viktoruj/cks-lab
57 | name: busybox
58 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
59 |
60 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment3.app-deployment3
File: /tasks/cks/mock/01/k8s-1/scripts/task1.yaml:62-85
62 | apiVersion: apps/v1
63 | kind: Deployment
64 | metadata:
65 | creationTimestamp: null
66 | labels:
67 | app: deployment3
68 | name: deployment3
69 | namespace: team-purple
70 | spec:
71 | replicas: 1
72 | selector:
73 | matchLabels:
74 | app: deployment3
75 | strategy: {}
76 | template:
77 | metadata:
78 | creationTimestamp: null
79 | labels:
80 | app: deployment3
81 | spec:
82 | containers:
83 | - image: viktoruj/cks-lab
84 | name: busybox
85 | command: ['sh', '-c', 'while true ; do echo "i am working "; sleep 10 ;done']
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:36-64
36 | apiVersion: apps/v1
37 | kind: Deployment
38 | metadata:
39 | creationTimestamp: null
40 | labels:
41 | app: deployment1
42 | name: deployment1
43 | namespace: blue-team
44 | spec:
45 | replicas: 2
46 | selector:
47 | matchLabels:
48 | app: deployment1
49 | strategy: {}
50 | template:
51 | metadata:
52 | creationTimestamp: null
53 | labels:
54 | app: deployment1
55 | spec:
56 | nodeSelector:
57 | work_type: falco
58 | containers:
59 | - image: httpd
60 | name: httpd
61 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
62 | resources: {}
63 |
64 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment2.app-deployment2
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:65-92
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment2
71 | name: deployment2
72 | spec:
73 | replicas: 2
74 | selector:
75 | matchLabels:
76 | app: deployment2
77 | strategy: {}
78 | template:
79 | metadata:
80 | creationTimestamp: null
81 | labels:
82 | app: deployment2
83 | spec:
84 | nodeSelector:
85 | work_type: falco
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: app
89 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 1 ; echo " ">> /etc/passwd; done']
90 | resources: {}
91 |
92 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment3.app-deployment3
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:93-120
93 | apiVersion: apps/v1
94 | kind: Deployment
95 | metadata:
96 | creationTimestamp: null
97 | labels:
98 | app: deployment3
99 | name: deployment3
100 | spec:
101 | replicas: 1
102 | selector:
103 | matchLabels:
104 | app: deployment3
105 | strategy: {}
106 | template:
107 | metadata:
108 | creationTimestamp: null
109 | labels:
110 | app: deployment3
111 | spec:
112 | nodeSelector:
113 | work_type: falco
114 | containers:
115 | - image: ubuntu:20.04
116 | name: app
117 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
118 | resources: {}
119 |
120 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment4.app-deployment4
File: /tasks/cks/mock/01/k8s-7/scripts/task1.yaml:121-146
121 | apiVersion: apps/v1
122 | kind: Deployment
123 | metadata:
124 | creationTimestamp: null
125 | labels:
126 | app: deployment4
127 | name: deployment4
128 | spec:
129 | replicas: 1
130 | selector:
131 | matchLabels:
132 | app: deployment4
133 | strategy: {}
134 | template:
135 | metadata:
136 | creationTimestamp: null
137 | labels:
138 | app: deployment4
139 | spec:
140 | nodeSelector:
141 | work_type: falco
142 | containers:
143 | - image: nginx
144 | name: app
145 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; apt update ; sleep 1 ; done']
146 | resources: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/mock/01/k8s-2/scripts/task1.yaml:74-107
74 | apiVersion: apps/v1
75 | kind: Deployment
76 | metadata:
77 | creationTimestamp: null
78 | labels:
79 | app: deployment1
80 | name: deployment1
81 | namespace: prod
82 | spec:
83 | replicas: 1
84 | selector:
85 | matchLabels:
86 | app: deployment1
87 | strategy: {}
88 | template:
89 | metadata:
90 | creationTimestamp: null
91 | labels:
92 | app: deployment1
93 | spec:
94 | serviceAccountName: k8api
95 | containers:
96 | - image: viktoruj/cks-lab
97 | name: busybox
98 | command: ['sh', '-c', 'while true ; do get_secret.sh ; sleep 10 ;done']
99 | env:
100 | - name: NS
101 | value: "prod"
102 | - name: SECRET
103 | value: "db"
104 | - name: NS_CONFIGMAP
105 | value: "billing"
106 | - name: CONFIGMAP
107 | value: "bill"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.deployment1.app-deployment1
File: /tasks/cks/mock/01/k8s-5/scripts/task1.yaml:65-89
65 | apiVersion: apps/v1
66 | kind: Deployment
67 | metadata:
68 | creationTimestamp: null
69 | labels:
70 | app: deployment1
71 | name: deployment1
72 | namespace: prod
73 | spec:
74 | replicas: 1
75 | selector:
76 | matchLabels:
77 | app: deployment1
78 | strategy: {}
79 | template:
80 | metadata:
81 | creationTimestamp: null
82 | labels:
83 | app: deployment1
84 | spec:
85 | serviceAccountName: k8api
86 | containers:
87 | - image: viktoruj/cks-lab
88 | name: busybox
89 | command: ['sh', '-c', 'while true ; do echo "i am working"; sleep 10 ;done']
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /tasks/cka/labs/01/scripts/kube-apiserver.yaml:1-120
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mysql.app-mysql
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:46-77
46 | apiVersion: apps/v1
47 | kind: Deployment
48 | metadata:
49 | creationTimestamp: null
50 | labels:
51 | app: mysql
52 | name: mysql
53 | namespace: prod-db
54 | spec:
55 | replicas: 1
56 | selector:
57 | matchLabels:
58 | app: mysql
59 | strategy: {}
60 | template:
61 | metadata:
62 | creationTimestamp: null
63 | labels:
64 | app: mysql
65 | spec:
66 | volumes:
67 | - name: index
68 | configMap:
69 | name: db-index.html
70 | containers:
71 | - image: nginx
72 | name: nginx
73 | volumeMounts:
74 | - name: index
75 | mountPath: /usr/share/nginx/html/
76 |
77 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.user-client.all-pod-db-external
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:102-119
102 | apiVersion: v1
103 | kind: Pod
104 | metadata:
105 | creationTimestamp: null
106 | labels:
107 | run: all-pod-db-external
108 | role: db-external-connect
109 | name: all-pod-db-external
110 | namespace: user-client
111 | spec:
112 | containers:
113 | - image: viktoruj/cks-lab
114 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
115 | name: all-pod
116 | resources: {}
117 | dnsPolicy: ClusterFirst
118 | restartPolicy: Always
119 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.user-client.all-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:120-136
120 | apiVersion: v1
121 | kind: Pod
122 | metadata:
123 | creationTimestamp: null
124 | labels:
125 | run: all-pod
126 | name: all-pod
127 | namespace: user-client
128 | spec:
129 | containers:
130 | - image: viktoruj/cks-lab
131 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
132 | name: all-pod
133 | resources: {}
134 | dnsPolicy: ClusterFirst
135 | restartPolicy: Always
136 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.stage.all-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:137-153
137 | apiVersion: v1
138 | kind: Pod
139 | metadata:
140 | creationTimestamp: null
141 | labels:
142 | run: all-stage-pod
143 | name: all-stage-pod
144 | namespace: stage
145 | spec:
146 | containers:
147 | - image: viktoruj/cks-lab
148 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
149 | name: all-pod
150 | resources: {}
151 | dnsPolicy: ClusterFirst
152 | restartPolicy: Always
153 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.stage.db-connect-stage-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:155-172
155 | apiVersion: v1
156 | kind: Pod
157 | metadata:
158 | creationTimestamp: null
159 | labels:
160 | run: db-connect-stage-pod
161 | role: db-connect
162 | name: db-connect-stage-pod
163 | namespace: stage
164 | spec:
165 | containers:
166 | - image: viktoruj/cks-lab
167 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
168 | name: all-pod
169 | resources: {}
170 | dnsPolicy: ClusterFirst
171 | restartPolicy: Always
172 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.prod.prod-pod
File: /tasks/cka/mock/01/k8s-1/scripts/task23.yaml:174-189
174 | apiVersion: v1
175 | kind: Pod
176 | metadata:
177 | creationTimestamp: null
178 | labels:
179 | run: prod-pod
180 | name: prod-pod
181 | namespace: prod
182 | spec:
183 | containers:
184 | - image: viktoruj/cks-lab
185 | command: ['sh', '-c', 'while true ; do echo "$(date) i am working "; sleep 10 ;done']
186 | name: all-pod
187 | resources: {}
188 | dnsPolicy: ClusterFirst
189 | restartPolicy: Always
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 2
dockerfile scan results:
Passed checks: 168, Failed checks: 10, Skipped checks: 0
Check: CKV_DOCKER_8: "Ensure the last USER is not root"
FAILED for resource: /tasks/cks/labs/16/scripts/docker/Dockerfile.USER
File: /tasks/cks/labs/16/scripts/docker/Dockerfile:6-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-last-user-is-not-root.html
6 | USER root
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /tasks/cks/labs/16/scripts/docker/Dockerfile.
File: /tasks/cks/labs/16/scripts/docker/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM alpine:3.4
2 | RUN apk update && apk add vim curl nginx=1.10.3-r0
3 | RUN addgroup -S myuser && adduser -S myuser -G myuser
4 | COPY ./run.sh run.sh
5 | RUN ["chmod", "+x", "./run.sh"]
6 | USER root
7 | ENTRYPOINT ["/bin/sh", "./run.sh"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /tasks/eks/labs/01/worker/files/14/Dockerfile.FROM
File: /tasks/eks/labs/01/worker/files/14/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
1 | FROM ubuntu
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /tasks/eks/labs/01/worker/files/14/Dockerfile.
File: /tasks/eks/labs/01/worker/files/14/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM ubuntu
2 | RUN apt-get update
3 | RUN apt-get -y install curl
4 |
5 | CMD ["sh", "-c", "while true ; do id ; sleep 1 ;done"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /tasks/eks/labs/01/worker/files/14/Dockerfile.
File: /tasks/eks/labs/01/worker/files/14/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM ubuntu
2 | RUN apt-get update
3 | RUN apt-get -y install curl
4 |
5 | CMD ["sh", "-c", "while true ; do id ; sleep 1 ;done"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /docker/Dockerfile.
File: /docker/Dockerfile:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM alpine:3.17.2
2 | RUN apk add --update --no-cache curl netcat-openbsd bash jq
3 | COPY get_secret.sh /usr/bin/get_secret.sh
4 | RUN chmod +x /usr/bin/get_secret.sh
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /docker/Dockerfile.
File: /docker/Dockerfile:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM alpine:3.17.2
2 | RUN apk add --update --no-cache curl netcat-openbsd bash jq
3 | COPY get_secret.sh /usr/bin/get_secret.sh
4 | RUN chmod +x /usr/bin/get_secret.sh
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /tasks/cks/mock/01/worker/files/14/Dockerfile.FROM
File: /tasks/cks/mock/01/worker/files/14/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
1 | FROM ubuntu
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /tasks/cks/mock/01/worker/files/14/Dockerfile.
File: /tasks/cks/mock/01/worker/files/14/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM ubuntu
2 | RUN apt-get update
3 | RUN apt-get -y install curl
4 |
5 | CMD ["sh", "-c", "while true ; do id ; sleep 1 ;done"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /tasks/cks/mock/01/worker/files/14/Dockerfile.
File: /tasks/cks/mock/01/worker/files/14/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM ubuntu
2 | RUN apt-get update
3 | RUN apt-get -y install curl
4 |
5 | CMD ["sh", "-c", "while true ; do id ; sleep 1 ;done"]
secrets scan results:
Passed checks: 0, Failed checks: 1, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: ea5b88186ab5459d393a1c7bcf2e919f729a8e2b
File: /tasks/cks/mock/01/k8s-6/scripts/task5.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | password: UGEx************
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools