Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardening deployment of adcs simulator #61

Closed
djkormo opened this issue Feb 15, 2024 · 1 comment
Closed

Hardening deployment of adcs simulator #61

djkormo opened this issue Feb 15, 2024 · 1 comment
Assignees
@djkormo
Labels
enhancement New feature or request

Comments

@djkormo
Copy link
Owner

djkormo commented Feb 15, 2024
edited
Loading

TODO
Hardening deployment of adcs simulator

Starting point

Grade: D
Score: 65%

polaris audit --color --format pretty --only-show-failed-tests

Deployment adcs-sim-deployment in namespace adcs-issuer
    metadataAndInstanceMismatched        😬 Warning
        Reliability - Label app.kubernetes.io/instance must match metadata.name
    missingPodDisruptionBudget           😬 Warning
        Reliability - Should have a PodDisruptionBudget
    deploymentMissingReplicas            😬 Warning
        Reliability - Only one replica is scheduled
    automountServiceAccountToken         😬 Warning
        Security - The ServiceAccount will be automounted
    missingNetworkPolicy                 😬 Warning
        Security - A NetworkPolicy should match pod labels and contain applied egress and ingress rules
    priorityClassNotSet                  😬 Warning
        Reliability - Priority class should be set
    topologySpreadConstraint             😬 Warning
        Reliability - Pod should be configured with a valid topology spread constraint
  Container manager
    runAsRootAllowed                     ❌ Danger
        Security - Should not be allowed to run as root
    linuxHardening                       😬 Warning
        Security - Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
    notReadOnlyRootFilesystem            😬 Warning
        Security - Filesystem should be read only
    privilegeEscalationAllowed           ❌ Danger
        Security - Privilege escalation should not be allowed
    insecureCapabilities                 😬 Warning
        Security - Container should not have insecure capabilities
    livenessProbeMissing                 😬 Warning
        Reliability - Liveness probe should be configured
    readinessProbeMissing                😬 Warning
        Reliability - Readiness probe should be configured


ConfigMap adcs-sim-configmap in namespace adcs-issuer
    sensitiveConfigmapContent            ❌ Danger
        Security - Potentially sensitive content is detected in the ConfigMap keys or values
@djkormo djkormo added the enhancement New feature or request label Feb 15, 2024
@djkormo djkormo self-assigned this Feb 15, 2024
@djkormo
Copy link
Owner Author

djkormo commented Feb 16, 2024

PR created
#62

@djkormo djkormo closed this as completed Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djkormo djkormo

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@djkormo