Configuration audit reports

[cristianrgreco]

Hi 👋

Firstly, thanks so much for making these charts available, and for making them so configurable and easy to use!

I've deployed this chart onto a home server and run Trivy configuration audits, and found a few problems:

Replica set:

Name:         replicaset-minecraft-minecraft-f9b4c8777
Report:
  Checks:
    Category:     Kubernetes Security Check
    Check ID:     KSV001
    Description:  A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.allowPrivilegeEscalation' to false
    Remediation:  Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.
    Severity:     MEDIUM
    Success:      false
    Title:        Can elevate its own privileges
    Category:     Kubernetes Security Check
    Check ID:     KSV003
    Description:  The container should drop all default capabilities and add only those that are needed for its execution.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should add 'ALL' to 'securityContext.capabilities.drop'
    Remediation:  Add 'ALL' to containers[].securityContext.capabilities.drop.
    Severity:     LOW
    Success:      false
    Title:        Default capabilities: some containers do not drop all
    Category:     Kubernetes Security Check
    Check ID:     KSV004
    Description:  Security best practices require containers to run with minimal required capabilities.
    Messages:
      Container 'minecraft-minecraft' of 'replicaset' 'minecraft-minecraft-f9b4c8777' in 'minecraft' namespace should set securityContext.capabilities.drop
    Remediation:  Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'
    Severity:     LOW
    Success:      false
    Title:        Default capabilities: some containers do not drop any
    Category:     Kubernetes Security Check
    Check ID:     KSV012
    Description:  Force the running image to run as a non-root user to ensure least privileges.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.runAsNonRoot' to true
    Remediation:  Set 'containers[].securityContext.runAsNonRoot' to true.
    Severity:     MEDIUM
    Success:      false
    Title:        Runs as root user
    Category:     Kubernetes Security Check
    Check ID:     KSV013
    Description:  It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should specify an image tag
    Remediation:  Use a specific container image tag that is not 'latest'.
    Severity:     MEDIUM
    Success:      false
    Title:        Image tag ":latest" used
    Category:     Kubernetes Security Check
    Check ID:     KSV014
    Description:  An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.readOnlyRootFilesystem' to true
    Remediation:  Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
    Severity:     HIGH
    Success:      false
    Title:        Root file system is not read-only
    Category:     Kubernetes Security Check
    Check ID:     KSV020
    Description:  Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.runAsUser' > 10000
    Remediation:  Set 'containers[].securityContext.runAsUser' to an integer > 10000.
    Severity:     LOW
    Success:      false
    Title:        Runs with UID <= 10000
    Category:     Kubernetes Security Check
    Check ID:     KSV021
    Description:  Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.runAsGroup' > 10000
    Remediation:  Set 'containers[].securityContext.runAsGroup' to an integer > 10000.
    Severity:     LOW
    Success:      false
    Title:        Runs with GID <= 10000
    Category:     Kubernetes Security Check
    Check ID:     KSV030
    Description:  According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.
    Messages:
      Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
    Remediation:  Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.
    Severity:     LOW
    Success:      false
    Title:        Runtime/Default Seccomp profile not set
    Category:     Kubernetes Security Check
    Check ID:     KSV032
    Description:  Containers should only use images from trusted registries.
    Messages:
      container minecraft-minecraft of replicaset minecraft-minecraft-f9b4c8777 in minecraft namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'
    Remediation:  Use images from trusted Azure registries.
    Severity:     MEDIUM
    Success:      false
    Title:        All container images must start with the *.azurecr.io domain
    Category:     Kubernetes Security Check
    Check ID:     KSV033
    Description:  Containers should only use images from trusted GCR registries.
    Messages:
      container minecraft-minecraft of replicaset minecraft-minecraft-f9b4c8777 in minecraft namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries
    Remediation:  Use images from trusted GCR registries.
    Severity:     MEDIUM
    Success:      false
    Title:        All container images must start with a GCR domain
    Category:     Kubernetes Security Check
    Check ID:     KSV034
    Description:  Container images must not start with an empty prefix or a defined public registry domain.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should restrict container image to use private registries
    Remediation:  Use images from private registries.
    Severity:     MEDIUM
    Success:      false
    Title:        Container images from public registries used
    Category:     Kubernetes Security Check
    Check ID:     KSV035
    Description:  Container images from non-ECR registries should be forbidden.
    Messages:
      Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html
    Remediation:  Container image should be used from Amazon container Registry
    Severity:     MEDIUM
    Success:      false
    Title:        All container images must start with an ECR domain
    Category:     Kubernetes Security Check
    Check ID:     KSV039
    Description:  ensure limit range policy has configure in order to limit resource usage for namespaces or nodes
    Messages:
      limit range policy with a default request and limit, min and max request, for each container should be configure
    Remediation:  create limit range policy with a default request and limit, min and max request, for each container.
    Severity:     LOW
    Success:      false
    Title:        limit range usage
    Category:     Kubernetes Security Check
    Check ID:     KSV040
    Description:  ensure resource quota policy has configure in order to limit aggregate resource usage within namespace
    Messages:
      resource quota policy with hard memory and cpu quota per namespace should be configure
    Remediation:  create resource quota policy with mem and cpu quota per each namespace
    Severity:     LOW
    Success:      false
    Title:        resource quota usage
    Category:     Kubernetes Security Check
    Check ID:     KSV104
    Description:  A program inside the container can bypass Seccomp protection policies.
    Messages:
      container "minecraft-minecraft" of replicaset "minecraft-minecraft-f9b4c8777" in "minecraft" namespace should specify a seccomp profile
    Remediation:  Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards
    Severity:     MEDIUM
    Success:      false
    Title:        Seccomp policies disabled
    Category:     Kubernetes Security Check
    Check ID:     KSV106
    Description:  Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
    Messages:
      container should drop all
    Remediation:  Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.
    Severity:     LOW
    Success:      false
    Title:        Container capabilities must only include NET_BIND_SERVICE
  Scanner:
    Name:     Trivy
    Vendor:   Aqua Security
    Version:  0.22.0
  Summary:
    Critical Count:  0
    High Count:      1
    Low Count:       8
    Medium Count:    8

Service:

Name:         service-minecraft-minecraft
Report:
  Checks:
    Category:     Kubernetes Security Check
    Check ID:     KSV039
    Description:  ensure limit range policy has configure in order to limit resource usage for namespaces or nodes
    Messages:
      limit range policy with a default request and limit, min and max request, for each container should be configure
    Remediation:  create limit range policy with a default request and limit, min and max request, for each container.
    Severity:     LOW
    Success:      false
    Title:        limit range usage
    Category:     Kubernetes Security Check
    Check ID:     KSV040
    Description:  ensure resource quota policy has configure in order to limit aggregate resource usage within namespace
    Messages:
      resource quota policy with hard memory and cpu quota per namespace should be configure
    Remediation:  create resource quota policy with mem and cpu quota per each namespace
    Severity:     LOW
    Success:      false
    Title:        resource quota usage
  Scanner:
    Name:     Trivy
    Vendor:   Aqua Security
    Version:  0.22.0
  Summary:
    Critical Count:  0
    High Count:      0
    Low Count:       2
    Medium Count:    0

[itzg]

Thanks but that was too much to read. I don't actively make changes to these charts anymore myself so you're welcome to submit a PR to fix what can be fixed.

For the first one you can already set the value podSecurityContext to whatever it needs to be, such as their recommended solution.