| Project | manifests/install.yaml |
|---|---|
| Path | /private/argo-cd/manifests/install.yaml |
| Project Type | Kubernetes |
Container does not drop all default capabilities
Impact
Containers are running with potentially unnecessary privileges
Remediation
Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`
Container does not drop all default capabilities
Impact
Containers are running with potentially unnecessary privileges
Remediation
Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`
Container does not drop all default capabilities
Impact
Containers are running with potentially unnecessary privileges
Remediation
Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`
Container does not drop all default capabilities
Impact
Containers are running with potentially unnecessary privileges
Remediation
Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`
Container is running without privilege escalation control
Impact
Processes could elevate current privileges via known vectors, for example SUID binaries
Remediation
Set `securityContext.allowPrivilegeEscalation` to `false`
Container is running without privilege escalation control
Impact
Processes could elevate current privileges via known vectors, for example SUID binaries
Remediation
Set `securityContext.allowPrivilegeEscalation` to `false`
Container is running without privilege escalation control
Impact
Processes could elevate current privileges via known vectors, for example SUID binaries
Remediation
Set `securityContext.allowPrivilegeEscalation` to `false`
Container is running without root user control
Impact
Container could be running with full administrative privileges
Remediation
Set `securityContext.runAsNonRoot` to `true`
Container is running without root user control
Impact
Container could be running with full administrative privileges
Remediation
Set `securityContext.runAsNonRoot` to `true`
Role with dangerous permissions
Impact
Using this role grants dangerous permissions
Remediation
Consider removing this permissions
Role with dangerous permissions
Impact
Using this role grants dangerous permissions
Remediation
Consider removing this permissions
Role with dangerous permissions
Impact
Using this role grants dangerous permissions
Remediation
Consider removing this permissions
Container could be running with outdated image
Impact
The container may run with outdated or unauthorized image
Remediation
Set `imagePullPolicy` attribute to `Always`
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container is running with multiple open ports
Impact
Increases the attack surface of the application and the container.
Remediation
Reduce `ports` count to 2
Container is running with writable root filesystem
Impact
Compromised process could abuse writable root filesystem to elevate privileges
Remediation
Set `securityContext.readOnlyRootFilesystem` to `true`
Container is running with writable root filesystem
Impact
Compromised process could abuse writable root filesystem to elevate privileges
Remediation
Set `securityContext.readOnlyRootFilesystem` to `true`
Container is running with writable root filesystem
Impact
Compromised process could abuse writable root filesystem to elevate privileges
Remediation
Set `securityContext.readOnlyRootFilesystem` to `true`
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value