-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
4.15
-
None
-
Important
-
No
-
Proposed
-
False
-
Description of problem:
Multiple vulnerabilites seen for KDO operator
1. Container 'openshift-descheduler' of Pod 'descheduler-59d64b6c7b-49nl6' should set 'securityContext.readOnlyRootFilesystem' to true
2. Container 'descheduler-operator' of Pod 'descheduler-operator-db9fd6d96-9twf7' should set 'securityContext.readOnlyRootFilesystem' to true
Version-Release number of selected component (if applicable):
KDO v5.0.0
How reproducible:
Always
Steps to Reproduce:
1. Install KDO latest on openshift 4.15 cluster
2. clone repo https://github.com/RedHatProductSecurity/rapidast
3. Update rapidast_config.yaml as attached here
4. Run command `rapidast.py --config rapidast_config.yaml`
Actual results:
Vulenrabilites seen with HIGH Severity
Expected results:
No vulenrabilites should be seen with HIGH Severity
Additional info:
# This is a configuration template file to perform scans using user-defined container images or scripts # # Author: Red Hat Product Security config: # WARNING: `configVersion` indicates the schema version of the config file. # This value tells RapiDAST what schema should be used to read this configuration. # Therefore you should only change it if you update the configuration to a newer schema # It is intended to keep backward compatibility (newer RapiDAST running an older config) configVersion: 5 # `application` contains data related to the application, not to the scans. application: shortName: "oobttest" # `general` is a section that will be applied to all scanners. general: container: # This configures what technology is to be used for RapiDAST to run each scanner. # Currently supported: `podman` and `none` # none: Default. RapiDAST runs each scanner in the same host or inside the RapiDAST image container # podman: RapiDAST orchestrates each scanner on its own using podman # When undefined, relies on rapidast-defaults.yaml, or `none` if nothing is set type: "none" # `scanners' is a section that configures scanning options scanners: generic_oobt: # toolDir: scanners/generic/tools inline: "python3 oobtkube.py -d 120 -p 12345 -i <update_local_host_ip> -f /tmp/<update with cr for rodo>" generic_trivy: # results: # An absolute path to file or directory where results are stored on the host. # if it is "*stdout" or unspecified, the command's standard output will be selected # When container.type is 'podman', this needs to be used along with the container.volumes configuration below # If the result needs to be sent to DefectDojo, this must be a SARIF format file # results: "/test/results" # Example: scan a k8s cluster for misconfiguration issue # - kubeconfig file for the cluster is required # - See https://aquasecurity.github.io/trivy/v0.49/docs/target/kubernetes/ for more information on 'trivy k8s' scan # - scanners/generic/tools/convert_trivy_k8s_to_sarif.py converts the Trivy json result to the SARIF format # 'inline' is used when container.type is not 'podman' # 'toolDir' specifies the default directory where inline scripts are located #toolDir: scanners/generic/tools inline: "trivy k8s --kubeconfig=<kubeconfig_file_path> -n openshift-kube-descheduler-operator pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json" container: parameters: # Optional: list of expected return codes, anything else will be considered as an error. by default: [0] validReturns: [ 0 ]
Attaching report here https://issues.redhat.com/secure/attachment/13159723/13159723_stdout-report.txt
