{ "ClusterName": "knarra/api-knarra1419-qe-gcp-devcluster-openshift-com:6443/system:admin", "Resources": [ { "Namespace": "openshift-run-once-duration-override-operator", "Kind": "Pod", "Name": "runoncedurationoverride-rdmzn", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/runoncedurationoverride-rdmzn", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 19, "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV009", "AVDID": "AVD-KSV-0009", "Title": "Access to host network", "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", "Message": "Pod 'runoncedurationoverride-rdmzn' should not set 'spec.template.spec.hostNetwork' to true", "Namespace": "builtin.kubernetes.KSV009", "Query": "data.builtin.kubernetes.KSV009.deny", "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", "References": [ "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "https://avd.aquasec.com/misconfig/ksv009" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 29, "EndLine": 158, "Code": { "Lines": [ { "Number": 29, "Content": " affinity:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33maffinity\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 30, "Content": " nodeAffinity:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mnodeAffinity\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 31, "Content": " requiredDuringSchedulingIgnoredDuringExecution:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mrequiredDuringSchedulingIgnoredDuringExecution\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 32, "Content": " nodeSelectorTerms:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mnodeSelectorTerms\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 33, "Content": " - matchFields:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mmatchFields\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 34, "Content": " - key: metadata.name", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mkey\u001b[0m: metadata.name", "FirstCause": false, "LastCause": false }, { "Number": 35, "Content": " operator: In", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33moperator\u001b[0m: In", "FirstCause": false, "LastCause": false }, { "Number": 36, "Content": " values:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mvalues\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 37, "Content": " - knarra1419-nn7lv-master-2.us-central1-c.c.openshift-qe.internal", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - knarra1419-nn7lv-master-2.us-central1-c.c.openshift-qe.internal", "FirstCause": false, "LastCause": true }, { "Number": 38, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } }, { "Type": "Kubernetes Security Check", "ID": "KSV024", "AVDID": "AVD-KSV-0024", "Title": "Access to host ports", "Description": "According to pod security standard 'Host Ports', hostPorts should be disallowed, or at minimum restricted to a known list.", "Message": "Container 'runoncedurationoverride' of Pod 'runoncedurationoverride-rdmzn' should not set host ports, 'ports[*].hostPort'", "Namespace": "builtin.kubernetes.KSV024", "Query": "data.builtin.kubernetes.KSV024.deny", "Resolution": "Do not set spec.containers[*].ports[*].hostPort and spec.initContainers[*].ports[*].hostPort.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv024", "References": [ "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "https://avd.aquasec.com/misconfig/ksv024" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 39, "EndLine": 78, "Code": { "Lines": [ { "Number": 39, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 40, "Content": " - --secure-port=9448", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --secure-port=9448", "FirstCause": false, "LastCause": false }, { "Number": 41, "Content": " - --bind-address=127.0.0.1", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --bind-address=127.0.0.1", "FirstCause": false, "LastCause": false }, { "Number": 42, "Content": " - --tls-cert-file=/var/serving-cert/tls.crt", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-cert-file=/var/serving-cert/tls.crt", "FirstCause": false, "LastCause": false }, { "Number": 43, "Content": " - --tls-private-key-file=/var/serving-cert/tls.key", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-private-key-file=/var/serving-cert/tls.key", "FirstCause": false, "LastCause": false }, { "Number": 44, "Content": " - --v=3", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --v=3", "FirstCause": false, "LastCause": false }, { "Number": 45, "Content": " command:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 46, "Content": " - /usr/bin/run-once-duration-override", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - /usr/bin/run-once-duration-override", "FirstCause": false, "LastCause": false }, { "Number": 47, "Content": " env:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33menv\u001b[0m:", "FirstCause": false, "LastCause": true }, { "Number": 48, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] }, { "Namespace": "openshift-run-once-duration-override-operator", "Kind": "Pod", "Name": "run-once-duration-override-operator-6f7fc6b9f9-rmjsg", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/run-once-duration-override-operator-6f7fc6b9f9-rmjsg", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 21, "Failures": 0, "Exceptions": 0 } } ] }, { "Namespace": "openshift-run-once-duration-override-operator", "Kind": "Pod", "Name": "runoncedurationoverride-m96gh", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/runoncedurationoverride-m96gh", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 19, "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV009", "AVDID": "AVD-KSV-0009", "Title": "Access to host network", "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", "Message": "Pod 'runoncedurationoverride-m96gh' should not set 'spec.template.spec.hostNetwork' to true", "Namespace": "builtin.kubernetes.KSV009", "Query": "data.builtin.kubernetes.KSV009.deny", "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", "References": [ "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "https://avd.aquasec.com/misconfig/ksv009" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 29, "EndLine": 158, "Code": { "Lines": [ { "Number": 29, "Content": " affinity:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33maffinity\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 30, "Content": " nodeAffinity:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mnodeAffinity\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 31, "Content": " requiredDuringSchedulingIgnoredDuringExecution:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mrequiredDuringSchedulingIgnoredDuringExecution\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 32, "Content": " nodeSelectorTerms:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mnodeSelectorTerms\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 33, "Content": " - matchFields:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mmatchFields\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 34, "Content": " - key: metadata.name", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mkey\u001b[0m: metadata.name", "FirstCause": false, "LastCause": false }, { "Number": 35, "Content": " operator: In", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33moperator\u001b[0m: In", "FirstCause": false, "LastCause": false }, { "Number": 36, "Content": " values:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mvalues\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 37, "Content": " - knarra1419-nn7lv-master-1.us-central1-b.c.openshift-qe.internal", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - knarra1419-nn7lv-master-1.us-central1-b.c.openshift-qe.internal", "FirstCause": false, "LastCause": true }, { "Number": 38, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } }, { "Type": "Kubernetes Security Check", "ID": "KSV024", "AVDID": "AVD-KSV-0024", "Title": "Access to host ports", "Description": "According to pod security standard 'Host Ports', hostPorts should be disallowed, or at minimum restricted to a known list.", "Message": "Container 'runoncedurationoverride' of Pod 'runoncedurationoverride-m96gh' should not set host ports, 'ports[*].hostPort'", "Namespace": "builtin.kubernetes.KSV024", "Query": "data.builtin.kubernetes.KSV024.deny", "Resolution": "Do not set spec.containers[*].ports[*].hostPort and spec.initContainers[*].ports[*].hostPort.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv024", "References": [ "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "https://avd.aquasec.com/misconfig/ksv024" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 39, "EndLine": 78, "Code": { "Lines": [ { "Number": 39, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 40, "Content": " - --secure-port=9448", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --secure-port=9448", "FirstCause": false, "LastCause": false }, { "Number": 41, "Content": " - --bind-address=127.0.0.1", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --bind-address=127.0.0.1", "FirstCause": false, "LastCause": false }, { "Number": 42, "Content": " - --tls-cert-file=/var/serving-cert/tls.crt", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-cert-file=/var/serving-cert/tls.crt", "FirstCause": false, "LastCause": false }, { "Number": 43, "Content": " - --tls-private-key-file=/var/serving-cert/tls.key", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-private-key-file=/var/serving-cert/tls.key", "FirstCause": false, "LastCause": false }, { "Number": 44, "Content": " - --v=3", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --v=3", "FirstCause": false, "LastCause": false }, { "Number": 45, "Content": " command:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 46, "Content": " - /usr/bin/run-once-duration-override", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - /usr/bin/run-once-duration-override", "FirstCause": false, "LastCause": false }, { "Number": 47, "Content": " env:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33menv\u001b[0m:", "FirstCause": false, "LastCause": true }, { "Number": 48, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] }, { "Namespace": "openshift-run-once-duration-override-operator", "Kind": "Pod", "Name": "runoncedurationoverride-b4cb4", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Pod/runoncedurationoverride-b4cb4", "Class": "config", "Type": "kubernetes", "MisconfSummary": { "Successes": 19, "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Kubernetes Security Check", "ID": "KSV009", "AVDID": "AVD-KSV-0009", "Title": "Access to host network", "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", "Message": "Pod 'runoncedurationoverride-b4cb4' should not set 'spec.template.spec.hostNetwork' to true", "Namespace": "builtin.kubernetes.KSV009", "Query": "data.builtin.kubernetes.KSV009.deny", "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", "References": [ "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "https://avd.aquasec.com/misconfig/ksv009" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 29, "EndLine": 158, "Code": { "Lines": [ { "Number": 29, "Content": " affinity:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33maffinity\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 30, "Content": " nodeAffinity:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mnodeAffinity\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 31, "Content": " requiredDuringSchedulingIgnoredDuringExecution:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mrequiredDuringSchedulingIgnoredDuringExecution\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 32, "Content": " nodeSelectorTerms:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mnodeSelectorTerms\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 33, "Content": " - matchFields:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mmatchFields\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 34, "Content": " - key: metadata.name", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33mkey\u001b[0m: metadata.name", "FirstCause": false, "LastCause": false }, { "Number": 35, "Content": " operator: In", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33moperator\u001b[0m: In", "FirstCause": false, "LastCause": false }, { "Number": 36, "Content": " values:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mvalues\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 37, "Content": " - knarra1419-nn7lv-master-0.us-central1-a.c.openshift-qe.internal", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - knarra1419-nn7lv-master-0.us-central1-a.c.openshift-qe.internal", "FirstCause": false, "LastCause": true }, { "Number": 38, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } }, { "Type": "Kubernetes Security Check", "ID": "KSV024", "AVDID": "AVD-KSV-0024", "Title": "Access to host ports", "Description": "According to pod security standard 'Host Ports', hostPorts should be disallowed, or at minimum restricted to a known list.", "Message": "Container 'runoncedurationoverride' of Pod 'runoncedurationoverride-b4cb4' should not set host ports, 'ports[*].hostPort'", "Namespace": "builtin.kubernetes.KSV024", "Query": "data.builtin.kubernetes.KSV024.deny", "Resolution": "Do not set spec.containers[*].ports[*].hostPort and spec.initContainers[*].ports[*].hostPort.", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv024", "References": [ "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "https://avd.aquasec.com/misconfig/ksv024" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", "StartLine": 39, "EndLine": 78, "Code": { "Lines": [ { "Number": 39, "Content": " - args:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", "FirstCause": true, "LastCause": false }, { "Number": 40, "Content": " - --secure-port=9448", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --secure-port=9448", "FirstCause": false, "LastCause": false }, { "Number": 41, "Content": " - --bind-address=127.0.0.1", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --bind-address=127.0.0.1", "FirstCause": false, "LastCause": false }, { "Number": 42, "Content": " - --tls-cert-file=/var/serving-cert/tls.crt", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-cert-file=/var/serving-cert/tls.crt", "FirstCause": false, "LastCause": false }, { "Number": 43, "Content": " - --tls-private-key-file=/var/serving-cert/tls.key", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --tls-private-key-file=/var/serving-cert/tls.key", "FirstCause": false, "LastCause": false }, { "Number": 44, "Content": " - --v=3", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - --v=3", "FirstCause": false, "LastCause": false }, { "Number": 45, "Content": " command:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", "FirstCause": false, "LastCause": false }, { "Number": 46, "Content": " - /usr/bin/run-once-duration-override", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " - /usr/bin/run-once-duration-override", "FirstCause": false, "LastCause": false }, { "Number": 47, "Content": " env:", "IsCause": true, "Annotation": "", "Truncated": false, "Highlighted": " \u001b[38;5;33menv\u001b[0m:", "FirstCause": false, "LastCause": true }, { "Number": 48, "Content": "", "IsCause": false, "Annotation": "", "Truncated": true, "FirstCause": false, "LastCause": false } ] } } } ] } ] } ] }