{ "ClusterName": "knarra/api-knarra0607-qe-azure-devcluster-openshift-com:6443/system:admin", "Resources": [ { "Namespace": "openshift-secondary-scheduler-operator", "Kind": "Pod", "Name": "secondary-scheduler-6cf47cc5dd-6wsph", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/secondary-scheduler-6cf47cc5dd-6wsph", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 20, "Failures": 1, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV014", "AVDID": "AVD-KSV-0014", "Title": "Root file system is not read-only", "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", "Message": "Container 'secondary-scheduler' of Pod 'secondary-scheduler-6cf47cc5dd-6wsph' should set 'securityContext.readOnlyRootFilesystem' to true", "Namespace": "builtin.kubernetes.KSV014", "Query": "data.builtin.kubernetes.KSV014.deny", "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", "References": [ "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", "https://avd.aquasec.com/misconfig/ksv014" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 41, "EndLine": 68, "Code": { "Lines": [ { "Number": 41, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 42, "Content": " - /bin/kube-scheduler", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - /bin/kube-scheduler", "FirstCause": false, "LastCause": false }, { "Number": 43, "Content": " - --config=/etc/kubernetes/config.yaml", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --config=/etc/kubernetes/config.yaml", "FirstCause": false, "LastCause": false }, { "Number": 44, "Content": " - -v=2", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - -v=2", "FirstCause": false, "LastCause": false }, { "Number": 45, "Content": " env:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33menv\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 46, "Content": " - name: ENABLE_OPENSHIFT_AUTH", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ENABLE_OPENSHIFT_AUTH", "FirstCause": false, "LastCause": false }, { "Number": 47, "Content": " value: \"true\"", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"true\"", "FirstCause": false, "LastCause": false }, { "Number": 48, "Content": " image: registry.k8s.io/scheduler-plugins/kube-scheduler:v0.28.9", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/scheduler-plugins/kube-scheduler:v0.28.9", "FirstCause": false, "LastCause": false }, { "Number": 49, "Content": " imagePullPolicy: IfNotPresent", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", "FirstCause": false, "LastCause": true }, { "Number": 50, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] }, { "Namespace": "openshift-secondary-scheduler-operator", "Kind": "Pod", "Name": "secondary-scheduler-operator-5c487b49cf-546nz", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/secondary-scheduler-operator-5c487b49cf-546nz", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 20, "Failures": 1, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV014", "AVDID": "AVD-KSV-0014", "Title": "Root file system is not read-only", "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", "Message": "Container 'secondary-scheduler-operator' of Pod 'secondary-scheduler-operator-5c487b49cf-546nz' should set 'securityContext.readOnlyRootFilesystem' to true", "Namespace": "builtin.kubernetes.KSV014", "Query": "data.builtin.kubernetes.KSV014.deny", "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", "References": [ "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", "https://avd.aquasec.com/misconfig/ksv014" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 76, "EndLine": 112, "Code": { "Lines": [ { "Number": 76, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 77, "Content": " - operator", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - operator", "FirstCause": false, "LastCause": false }, { "Number": 78, "Content": " command:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 79, "Content": " - secondary-scheduler-operator", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - secondary-scheduler-operator", "FirstCause": false, "LastCause": false }, { "Number": 80, "Content": " env:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33menv\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 81, "Content": " - name: WATCH_NAMESPACE", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mname\u001b[0m: WATCH_NAMESPACE", "FirstCause": false, "LastCause": false }, { "Number": 82, "Content": " valueFrom:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 83, "Content": " fieldRef:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 84, "Content": " apiVersion: v1", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", "FirstCause": false, "LastCause": true }, { "Number": 85, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] } ] }