Running checkov returns several errors on the argocd/deployment.yaml file #6

atulgoel126 · 2024-07-27T18:08:44Z

Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /assets/argocd/deployment.yaml:1-29
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39

            1  | apiVersion: apps/v1
            2  | kind: Deployment
            3  | metadata:
            4  |   name: nginx
            5  |   labels:
            6  |     app.kubernetes.io/name: nginx
            7  | spec:
            8  |   replicas: 2
            9  |   selector:
            10 |     matchLabels:
            11 |       app.kubernetes.io/name: nginx
            12 |   template:
            13 |     metadata:
            14 |       labels:
            15 |         app.kubernetes.io/name: nginx
            16 |     spec:
            17 |       containers:
            18 |         - name: nginx
            19 |           image: nginx:latest
            20 |           resources:
            21 |             limits:
            22 |               cpu: "0.5"
            23 |               memory: "500Mi"
            24 |             requests:
            25 |               cpu: "0.5"
            26 |               memory: "500Mi"
            27 |           ports:
            28 |             - containerPort: 80
            29 | ---

The text was updated successfully, but these errors were encountered:

atulgoel126 linked a pull request Jul 27, 2024 that will close this issue

Added fix for the checkov errors in the deployment.yaml file #7

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Running checkov returns several errors on the argocd/deployment.yaml file #6

Running checkov returns several errors on the argocd/deployment.yaml file #6

atulgoel126 commented Jul 27, 2024

Running checkov returns several errors on the argocd/deployment.yaml file #6

Running checkov returns several errors on the argocd/deployment.yaml file #6

Comments

atulgoel126 commented Jul 27, 2024