{ "ClusterName": "knarra/api-knarra077-qe-gcp-devcluster-openshift-com:6443/system:admin", "Resources": [ { "Namespace": "openshift-kube-descheduler-operator", "Kind": "Pod", "Name": "descheduler-765d6c8857-b7g7b", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/descheduler-765d6c8857-b7g7b", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 20, "Failures": 1, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV014", "AVDID": "AVD-KSV-0014", "Title": "Root file system is not read-only", "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", "Message": "Container 'openshift-descheduler' of Pod 'descheduler-765d6c8857-b7g7b' should set 'securityContext.readOnlyRootFilesystem' to true", "Namespace": "builtin.kubernetes.KSV014", "Query": "data.builtin.kubernetes.KSV014.deny", "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", "References": [ "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", "https://avd.aquasec.com/misconfig/ksv014" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 46, "EndLine": 79, "Code": { "Lines": [ { "Number": 46, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 47, "Content": " - --policy-config-file=/policy-dir/policy.yaml", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --policy-config-file=/policy-dir/policy.yaml", "FirstCause": false, "LastCause": false }, { "Number": 48, "Content": " - --logging-format=text", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --logging-format=text", "FirstCause": false, "LastCause": false }, { "Number": 49, "Content": " - --tls-cert-file=/certs-dir/tls.crt", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-cert-file=/certs-dir/tls.crt", "FirstCause": false, "LastCause": false }, { "Number": 50, "Content": " - --tls-private-key-file=/certs-dir/tls.key", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-private-key-file=/certs-dir/tls.key", "FirstCause": false, "LastCause": false }, { "Number": 51, "Content": " - --descheduling-interval=60s", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --descheduling-interval=60s", "FirstCause": false, "LastCause": false }, { "Number": 52, "Content": " - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "FirstCause": false, "LastCause": false }, { "Number": 53, "Content": " - --tls-min-version=VersionTLS12", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-min-version=VersionTLS12", "FirstCause": false, "LastCause": false }, { "Number": 54, "Content": " - -v=2", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - -v=2", "FirstCause": false, "LastCause": true }, { "Number": 55, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] }, { "Namespace": "openshift-kube-descheduler-operator", "Kind": "Pod", "Name": "descheduler-operator-5c699866c5-ffdzt", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/descheduler-operator-5c699866c5-ffdzt", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 20, "Failures": 1, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV014", "AVDID": "AVD-KSV-0014", "Title": "Root file system is not read-only", "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", "Message": "Container 'descheduler-operator' of Pod 'descheduler-operator-5c699866c5-ffdzt' should set 'securityContext.readOnlyRootFilesystem' to true", "Namespace": "builtin.kubernetes.KSV014", "Query": "data.builtin.kubernetes.KSV014.deny", "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", "References": [ "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", "https://avd.aquasec.com/misconfig/ksv014" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 78, "EndLine": 121, "Code": { "Lines": [ { "Number": 78, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 79, "Content": " - operator", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - operator", "FirstCause": false, "LastCause": false }, { "Number": 80, "Content": " command:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 81, "Content": " - cluster-kube-descheduler-operator", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - cluster-kube-descheduler-operator", "FirstCause": false, "LastCause": false }, { "Number": 82, "Content": " env:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33menv\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 83, "Content": " - name: OPERATOR_POD_NAMESPACE", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mname\u001b[0m: OPERATOR_POD_NAMESPACE", "FirstCause": false, "LastCause": false }, { "Number": 84, "Content": " valueFrom:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 85, "Content": " fieldRef:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 86, "Content": " apiVersion: v1", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", "FirstCause": false, "LastCause": true }, { "Number": 87, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] } ] }