Prisma Cloud's scan reported Private Key found in keda-metrics-apiserver

[edwardccg]

Report

Our cluster's integrated with Prisma Defender, it reported that Private Key was found in keda-metrics-apiserver:2.9.2.

Cause
Found: /apiserver.local.config/certificates/apiserver.key

Expected Behavior

There's should be no private key stored inside an image.

Actual Behavior

Private key is stored in image

Steps to Reproduce the Problem

Private key was detected in /apiserver.local.config/certificates/apiserver.key

Logs from KEDA operator

N/A

KEDA Version

2.9.2

Kubernetes Version

None

Platform

Microsoft Azure

Scaler Details

No response

Anything else?

Please advise if this private key is required for the keda-metrics-apiserver to be function. If not required, we should remediate and externalize the keys from image. If required, we need some inputs to document why the key is required. Thank you.

[JorTurFer]

Hi,
That key isn't stored in the image, it's generated on the fly by the metrics server during the startup if you don't provide it.
How to provide your own certificate is explained here: https://keda.sh/docs/2.11/faq/

This certificate has been removed in KEDA v2.10 in favor of external certificates (managed by KEDA as minimum, using an external tool like cert-manager as recommended)
You can find how to use your own certificates in KEDA > v2.10 here and also a blog-post with an example for cert-manager here

I close this issue as solved because the file isn't used anymore, but you can reopen it if you think that there is still something that needs to be fixed 😄

[edwardccg]

Thank you for the information, we do use cert manager, I will have a look on v2.10 and implement that.

[JorTurFer]

Just upgrading KEDA, the issue should be solved with the certificate managed by KEDA operator through k8s secrets

[edwardccg]

Thanks! I have upgraded to current latest version of 2.11.2 and Prisma Cloud is all green for the container running in keda namespaces.