Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

☂️-Issue reduce container capabilities #267

Open
29 tasks
majst01 opened this issue Sep 14, 2022 · 0 comments
Open
29 tasks

☂️-Issue reduce container capabilities #267

majst01 opened this issue Sep 14, 2022 · 0 comments
Assignees
@majst01

Comments

@majst01
Copy link
Contributor

majst01 commented Sep 14, 2022
edited
Loading

Reduce capabilities of our containers found by https://github.com/bridgecrewio/checkov:

  • audittailer:

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_15 "Image Pull Policy should be Always
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"

  • csi-lvm-controller

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_23 "Minimize the admission of root containers"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
    • CKV_K8S_40 "Containers should run as a high UID to avoid host conflict"

  • droptailer

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"

  • metallb-system-controller

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"

CKV_K8S_15 is kept as it is because we always have semver versioning for images in place without the ability to override a already pushed image.
CKV_K8S_40 is not changed because we do not write from our containers.

Gardener components

These needs to be fixed at gardener

  • blackbox-exporter

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"

  • calico-node-vertical-autoscaler

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"

  • coredns

    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"

  • metrics-server

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"

  • vpn-shoot

    • CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
    • CKV_K8S_23 "Minimize the admission of root containers"
    • CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
    • CKV_K8S_25 "Minimize the admission of containers with added capability"
    • CKV_K8S_40 "Containers should run as a high UID to avoid host conflict"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@majst01 majst01

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@majst01