-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
4.17
-
None
-
None
-
3
-
PODAUTO - Sprint 258, PODAUTO - Sprint 259, PODAUTO - Sprint 260
-
3
-
False
-
-
-
Bug Fix
-
In Progress
When going through the DAST process, we ran across a HIGH sev misconfiguration in the custom-metrics-autoscaler-operator pod:
trivy k8s --kubeconfig=/test/kubeconfig -n openshift-keda pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json
74.86 KiB / 74.86 KiB [--------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
4 / 4 [------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s
...
"Results": [
{
"Target": "Pod/custom-metrics-autoscaler-operator-5b6fb58767-zmrvr",
"Class": "config",
"Type": "kubernetes",
"MisconfSummary": {
"Successes": 20,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Kubernetes Security Check",
"ID": "KSV014",
"AVDID": "AVD-KSV-0014",
"Title": "Root file system is not read-only",
"Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.",
"Message": "Container 'custom-metrics-autoscaler-operator' of Pod 'custom-metrics-autoscaler-operator-5b6fb58767-zmrvr' should set 'securityContext.readOnlyRootFilesystem' to true",
"Namespace": "builtin.kubernetes.KSV014",
"Query": "data.builtin.kubernetes.KSV014.deny",
"Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014",
"References": [
"https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/",
"https://avd.aquasec.com/misconfig/ksv014"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 176,
"EndLine": 247,
"Code": {
"Lines": [
{
"Number": 176,
"Content": " - args:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33margs\u001b[0m:",
"FirstCause": true,
"LastCause": false
},
{
"Number": 177,
"Content": " - -c",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - -c",
"FirstCause": false,
"LastCause": false
},
{
"Number": 178,
"Content": " - export KEDA_OPERATOR_IMAGE=$RELATED_IMAGE_1; export KEDA_METRICS_SERVER_IMAGE=$RELATED_IMAGE_2; export KEDA_ADMISSION_WEBHOOKS_IMAGE=$RELATED_IMAGE_3; exec /manager \"$0\" \"$@\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - export KEDA_OPERATOR_IMAGE=$RELATED_IMAGE_1; export KEDA_METRICS_SERVER_IMAGE=$RELATED_IMAGE_2; export KEDA_ADMISSION_WEBHOOKS_IMAGE=$RELATED_IMAGE_3; exec /manager \"$0\" \"$@\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 179,
"Content": " - --leader-elect",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - --leader-elect",
"FirstCause": false,
"LastCause": false
},
{
"Number": 180,
"Content": " - --zap-log-level=info",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - --zap-log-level=info",
"FirstCause": false,
"LastCause": false
},
{
"Number": 181,
"Content": " - --zap-encoder=console",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - --zap-encoder=console",
"FirstCause": false,
"LastCause": false
},
{
"Number": 182,
"Content": " - --zap-time-encoding=rfc3339",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - --zap-time-encoding=rfc3339",
"FirstCause": false,
"LastCause": false
},
{
"Number": 183,
"Content": " command:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcommand\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 184,
"Content": " - /usr/bin/bash",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - /usr/bin/bash",
"FirstCause": false,
"LastCause": true
},
{
"Number": 185,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
}
]
}
]
},
I can't think of anything it needs to write to the container root, I think everything is configmaps, so we can/should probably fix this.
- links to
-
RHSA-2024:138512
Custom Metrics Autoscaler Operator for Red Hat 2.14.1 OpenShift Security Update
- mentioned on
