-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
Signed-off-by: Matthias Bertschy <[email protected]>
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
{{ $hookName := "label-selector-force-replace" -}} | ||
Check warning Code scanning / kubescape Automatic mapping of service account Warning
Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.
Check warning Code scanning / kubescape Automatic mapping of service account Warning
Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.
Check warning Code scanning / kubescape Automatic mapping of service account Warning
Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.
Check warning Code scanning / kubescape Automatic mapping of service account Warning
Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.
Check warning Code scanning / kubescape Automatic mapping of service account Warning
Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.
Check warning Code scanning / kubescape Linux hardening Warning
Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.
Check warning Code scanning / kubescape Linux hardening Warning
Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.
Check warning Code scanning / kubescape Linux hardening Warning
Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.
Check warning Code scanning / kubescape Linux hardening Warning
Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.
Check warning Code scanning / kubescape Missing network policy Warning
This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.
Check warning Code scanning / kubescape Missing network policy Warning
This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.
Check warning Code scanning / kubescape Missing network policy Warning
This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.
Check warning Code scanning / kubescape Missing network policy Warning
This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.
Check warning Code scanning / kubescape Missing network policy Warning
This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.
Check warning Code scanning / kubescape Check if signature exists Warning
Ensures that all images contain some signature
Check warning Code scanning / kubescape Check if signature exists Warning
Ensures that all images contain some signature
Check warning Code scanning / kubescape Check if signature exists Warning
Ensures that all images contain some signature
Check warning Code scanning / kubescape Check if signature exists Warning
Ensures that all images contain some signature
Check notice Code scanning / kubescape Immutable container filesystem Note
Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.
Check notice Code scanning / kubescape Immutable container filesystem Note
Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.
Check notice Code scanning / kubescape Immutable container filesystem Note
Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.
Check notice Code scanning / kubescape Immutable container filesystem Note
Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.
Check warning Code scanning / kubescape Non-root containers Warning
Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.
Check warning Code scanning / kubescape Non-root containers Warning
Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.
Check warning Code scanning / kubescape Non-root containers Warning
Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.
Check warning Code scanning / kubescape Non-root containers Warning
Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.
Check warning Code scanning / kubescape Configured liveness probe Warning
Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.
Check warning Code scanning / kubescape Configured liveness probe Warning
Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.
Check warning Code scanning / kubescape Configured liveness probe Warning
Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.
Check warning Code scanning / kubescape Configured liveness probe Warning
Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.
Check warning Code scanning / kubescape Ensure CPU limits are set Warning
This control identifies all Pods for which the CPU limits are not set.
Check warning Code scanning / kubescape Ensure CPU limits are set Warning
This control identifies all Pods for which the CPU limits are not set.
Check warning Code scanning / kubescape Ensure CPU limits are set Warning
This control identifies all Pods for which the CPU limits are not set.
Check warning Code scanning / kubescape Ensure CPU limits are set Warning
This control identifies all Pods for which the CPU limits are not set.
Check notice Code scanning / kubescape Configured readiness probe Note
Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.
Check notice Code scanning / kubescape Configured readiness probe Note
Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.
Check notice Code scanning / kubescape Configured readiness probe Note
Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.
Check notice Code scanning / kubescape Configured readiness probe Note
Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.
Check warning Code scanning / kubescape Ensure memory limits are set Warning
This control identifies all Pods for which the memory limits are not set.
Check warning Code scanning / kubescape Ensure memory limits are set Warning
This control identifies all Pods for which the memory limits are not set.
Check warning Code scanning / kubescape Ensure memory limits are set Warning
This control identifies all Pods for which the memory limits are not set.
Check warning Code scanning / kubescape Ensure memory limits are set Warning
This control identifies all Pods for which the memory limits are not set.
Check warning Code scanning / kubescape Allow privilege escalation Warning
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Check warning Code scanning / kubescape Allow privilege escalation Warning
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Check warning Code scanning / kubescape Allow privilege escalation Warning
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Check warning Code scanning / kubescape Allow privilege escalation Warning
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Check warning Code scanning / kubescape Ingress and Egress blocked Warning
Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
Check warning Code scanning / kubescape Ingress and Egress blocked Warning
Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
Check warning Code scanning / kubescape Ingress and Egress blocked Warning
Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
Check warning Code scanning / kubescape Ingress and Egress blocked Warning
Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
Check warning Code scanning / kubescape Ingress and Egress blocked Warning
Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: {{ $hookName }} | ||
namespace: {{ .Values.ksNamespace }} | ||
annotations: | ||
"helm.sh/hook": "pre-install,pre-upgrade" | ||
"helm.sh/hook-weight": "-20" | ||
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" | ||
labels: | ||
app: {{ $hookName }} | ||
rules: | ||
- apiGroups: | ||
- "apps" | ||
resources: | ||
- daemonsets | ||
- deployments | ||
verbs: | ||
- "delete" | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ $hookName }} | ||
namespace: {{ .Values.ksNamespace }} | ||
annotations: | ||
"helm.sh/hook": "pre-install,pre-upgrade" | ||
"helm.sh/hook-weight": "-15" | ||
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" | ||
labels: | ||
app: {{ $hookName }} | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: {{ $hookName }} | ||
namespace: {{ .Values.ksNamespace }} | ||
annotations: | ||
"helm.sh/hook": "pre-install,pre-upgrade" | ||
"helm.sh/hook-weight": "-14" | ||
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" | ||
labels: | ||
app: {{ $hookName }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ $hookName }} | ||
namespace: {{ .Values.ksNamespace }} | ||
roleRef: | ||
kind: Role | ||
name: {{ $hookName }} | ||
apiGroup: rbac.authorization.k8s.io | ||
--- | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: {{ $hookName }} | ||
namespace: {{ .Values.ksNamespace }} | ||
annotations: | ||
"helm.sh/hook": "pre-install,pre-upgrade" | ||
"helm.sh/hook-weight": "-10" | ||
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" | ||
labels: | ||
app: {{ $hookName }} | ||
spec: | ||
template: | ||
spec: | ||
serviceAccountName: {{ $hookName }} | ||
containers: | ||
Check warning Code scanning / kubescape Linux hardening Warning
Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.
Check notice Code scanning / kubescape Immutable container filesystem Note
Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.
Check warning Code scanning / kubescape Non-root containers Warning
Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.
Check warning Code scanning / kubescape Configured liveness probe Warning
Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.
Check warning Code scanning / kubescape Ensure CPU limits are set Warning
This control identifies all Pods for which the CPU limits are not set.
Check notice Code scanning / kubescape Configured readiness probe Note
Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.
Check warning Code scanning / kubescape Ensure memory limits are set Warning
This control identifies all Pods for which the memory limits are not set.
Check warning Code scanning / kubescape Allow privilege escalation Warning
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
|
||
- name: {{ $hookName }} | ||
image: "docker.io/bitnami/kubectl:1.30.3" | ||
Check warning Code scanning / kubescape Check if signature exists Warning
Ensures that all images contain some signature
|
||
imagePullPolicy: "IfNotPresent" | ||
command: | ||
- /bin/sh | ||
- -e | ||
- -x | ||
- -c | ||
- >- | ||
kubectl -n {{ .Values.ksNamespace }} delete daemonset node-agent --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment gateway --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment kubescape --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment kubevuln --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment operator --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment oter-collector --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment storage --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment synchronizer --ignore-not-found=true; | ||
kubectl -n {{ .Values.ksNamespace }} delete deployment kollector --ignore-not-found=true; | ||
restartPolicy: Never | ||
backoffLimit: 6 |