Snyk - Open Source Security

Snyk test report

September 7th 2022, 7:40:03 pm

Scanned the following path:
  • /private/argo-cd/manifests/namespace-install.yaml (Kubernetes)
35 total issues
Project manifests/namespace-install.yaml
Path /private/argo-cd/manifests/namespace-install.yaml
Project Type Kubernetes

Container does not drop all default capabilities

medium severity
  • Public ID: SNYK-CC-K8S-6
  • Introduced through: [DocId: 24] input spec template spec containers[dex] securityContext capabilities drop
  • Line number: 426

Impact

Containers are running with potentially unnecessary privileges

Remediation

Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`

More about this issue

Container does not drop all default capabilities

medium severity
  • Public ID: SNYK-CC-K8S-6
  • Introduced through: [DocId: 24] input spec template spec initContainers[copyutil] securityContext capabilities drop
  • Line number: 436

Impact

Containers are running with potentially unnecessary privileges

Remediation

Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`

More about this issue

Container does not drop all default capabilities

medium severity
  • Public ID: SNYK-CC-K8S-6
  • Introduced through: [DocId: 25] input spec template spec containers[redis] securityContext capabilities drop
  • Line number: 489

Impact

Containers are running with potentially unnecessary privileges

Remediation

Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`

More about this issue

Container does not drop all default capabilities

medium severity
  • Public ID: SNYK-CC-K8S-6
  • Introduced through: [DocId: 26] input spec template spec initContainers[copyutil] securityContext capabilities drop
  • Line number: 672

Impact

Containers are running with potentially unnecessary privileges

Remediation

Add `ALL` to `securityContext.capabilities.drop` list, and add only required capabilities in `securityContext.capabilities.add`

More about this issue

Container is running without privilege escalation control

medium severity
  • Public ID: SNYK-CC-K8S-9
  • Introduced through: [DocId: 24] input spec template spec initContainers[copyutil] securityContext allowPrivilegeEscalation
  • Line number: 436

Impact

Processes could elevate current privileges via known vectors, for example SUID binaries

Remediation

Set `securityContext.allowPrivilegeEscalation` to `false`

More about this issue

Container is running without privilege escalation control

medium severity
  • Public ID: SNYK-CC-K8S-9
  • Introduced through: [DocId: 25] input spec template spec containers[redis] securityContext allowPrivilegeEscalation
  • Line number: 489

Impact

Processes could elevate current privileges via known vectors, for example SUID binaries

Remediation

Set `securityContext.allowPrivilegeEscalation` to `false`

More about this issue

Container is running without privilege escalation control

medium severity
  • Public ID: SNYK-CC-K8S-9
  • Introduced through: [DocId: 26] input spec template spec initContainers[copyutil] securityContext allowPrivilegeEscalation
  • Line number: 672

Impact

Processes could elevate current privileges via known vectors, for example SUID binaries

Remediation

Set `securityContext.allowPrivilegeEscalation` to `false`

More about this issue

Container is running without root user control

medium severity
  • Public ID: SNYK-CC-K8S-10
  • Introduced through: [DocId: 24] input spec template spec initContainers[copyutil] securityContext runAsNonRoot
  • Line number: 436

Impact

Container could be running with full administrative privileges

Remediation

Set `securityContext.runAsNonRoot` to `true`

More about this issue

Container is running without root user control

medium severity
  • Public ID: SNYK-CC-K8S-10
  • Introduced through: [DocId: 26] input spec template spec initContainers[copyutil] securityContext runAsNonRoot
  • Line number: 672

Impact

Container could be running with full administrative privileges

Remediation

Set `securityContext.runAsNonRoot` to `true`

More about this issue

Role with dangerous permissions

medium severity
  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 4] role rules[0] resources
  • Line number: 38

Impact

Using this role grants dangerous permissions

Remediation

Consider removing this permissions

More about this issue

Role with dangerous permissions

medium severity
  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 5] role rules[0] resources
  • Line number: 77

Impact

Using this role grants dangerous permissions

Remediation

Consider removing this permissions

More about this issue

Role with dangerous permissions

medium severity
  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 6] role rules[0] resources
  • Line number: 96

Impact

Using this role grants dangerous permissions

Remediation

Consider removing this permissions

More about this issue

Container could be running with outdated image

low severity
  • Public ID: SNYK-CC-K8S-42
  • Introduced through: [DocId: 26] spec template spec initContainers[copyutil] imagePullPolicy
  • Line number: 672

Impact

The container may run with outdated or unauthorized image

Remediation

Set `imagePullPolicy` attribute to `Always`

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 24] input spec template spec initContainers[copyutil] resources limits cpu
  • Line number: 436

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 24] input spec template spec containers[dex] resources limits cpu
  • Line number: 416

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 25] input spec template spec containers[redis] resources limits cpu
  • Line number: 489

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 26] input spec template spec initContainers[copyutil] resources limits cpu
  • Line number: 672

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 26] input spec template spec containers[argocd-repo-server] resources limits cpu
  • Line number: 538

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 27] input spec template spec containers[argocd-server] resources limits cpu
  • Line number: 747

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container has no CPU limit

low severity
  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 28] input spec template spec containers[argocd-application-controller] resources limits cpu
  • Line number: 997

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value

More about this issue

Container is running with multiple open ports

low severity
  • Public ID: SNYK-CC-K8S-36
  • Introduced through: [DocId: 24] spec template spec containers[dex] ports
  • Line number: 423

Impact

Increases the attack surface of the application and the container.

Remediation

Reduce `ports` count to 2

More about this issue

Container is running with writable root filesystem

low severity
  • Public ID: SNYK-CC-K8S-8
  • Introduced through: [DocId: 24] input spec template spec initContainers[copyutil] securityContext readOnlyRootFilesystem
  • Line number: 436

Impact

Compromised process could abuse writable root filesystem to elevate privileges

Remediation

Set `securityContext.readOnlyRootFilesystem` to `true`

More about this issue

Container is running with writable root filesystem

low severity
  • Public ID: SNYK-CC-K8S-8
  • Introduced through: [DocId: 25] input spec template spec containers[redis] securityContext readOnlyRootFilesystem
  • Line number: 489

Impact

Compromised process could abuse writable root filesystem to elevate privileges

Remediation

Set `securityContext.readOnlyRootFilesystem` to `true`

More about this issue

Container is running with writable root filesystem

low severity
  • Public ID: SNYK-CC-K8S-8
  • Introduced through: [DocId: 26] input spec template spec initContainers[copyutil] securityContext readOnlyRootFilesystem
  • Line number: 672

Impact

Compromised process could abuse writable root filesystem to elevate privileges

Remediation

Set `securityContext.readOnlyRootFilesystem` to `true`

More about this issue

Container is running without liveness probe

low severity
  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 24] spec template spec containers[dex] livenessProbe
  • Line number: 416

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute

More about this issue

Container is running without liveness probe

low severity
  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 24] spec template spec initContainers[copyutil] livenessProbe
  • Line number: 436

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute

More about this issue

Container is running without liveness probe

low severity
  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 25] spec template spec containers[redis] livenessProbe
  • Line number: 489

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute

More about this issue

Container is running without liveness probe

low severity
  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 26] spec template spec initContainers[copyutil] livenessProbe
  • Line number: 672

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 24] input spec template spec containers[dex] resources limits memory
  • Line number: 416

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 24] input spec template spec initContainers[copyutil] resources limits memory
  • Line number: 436

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 25] input spec template spec containers[redis] resources limits memory
  • Line number: 489

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 26] input spec template spec initContainers[copyutil] resources limits memory
  • Line number: 672

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 26] input spec template spec containers[argocd-repo-server] resources limits memory
  • Line number: 538

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 27] input spec template spec containers[argocd-server] resources limits memory
  • Line number: 747

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue

Container is running without memory limit

low severity
  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 28] input spec template spec containers[argocd-application-controller] resources limits memory
  • Line number: 997

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value

More about this issue