Create deployment.yaml #72
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0001
Check Name: Can elevate its own privileges
Severity: MEDIUM
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.allowPrivilegeEscalation' to false
Resolution: Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv001
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0003
Check Name: Default capabilities: some containers do not drop all
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should add 'ALL' to 'securityContext.capabilities.drop'
Resolution: Add 'ALL' to containers[].securityContext.capabilities.drop.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv003
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0011
Check Name: CPU not limited
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'resources.limits.cpu'
Resolution: Set a limit value under 'containers[].resources.limits.cpu'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv011
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0012
Check Name: Runs as root user
Severity: MEDIUM
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.runAsNonRoot' to true
Resolution: Set 'containers[].securityContext.runAsNonRoot' to true.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv012
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0013
Check Name: Image tag ":latest" used
Severity: MEDIUM
Message: Container 'my-app' of Deployment 'my-app' should specify an image tag
Resolution: Use a specific container image tag that is not 'latest'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv013
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0014
Check Name: Root file system is not read-only
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.readOnlyRootFilesystem' to true
Resolution: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv014
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0015
Check Name: CPU requests not specified
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'resources.requests.cpu'
Resolution: Set 'containers[].resources.requests.cpu'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv015
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0016
Check Name: Memory requests not specified
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'resources.requests.memory'
Resolution: Set 'containers[].resources.requests.memory'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv016
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0018
Check Name: Memory not limited
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'resources.limits.memory'
Resolution: Set a limit value under 'containers[].resources.limits.memory'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv018
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0020
Check Name: Runs with UID <= 10000
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.runAsUser' > 10000
Resolution: Set 'containers[].securityContext.runAsUser' to an integer > 10000.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv020
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0021
Check Name: Runs with GID <= 10000
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.runAsGroup' > 10000
Resolution: Set 'containers[].securityContext.runAsGroup' to an integer > 10000.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv021
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0030
Check Name: Runtime/Default Seccomp profile not set
Severity: LOW
Message: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Resolution: Set 'spec.securityContext.seccompProfile.type', 'spec.containers[].securityContext.seccompProfile' and 'spec.initContainers[].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv030
| @@ -0,0 +1,13 @@ | |||
| apiVersion: extensions/v1beta1 | |||
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0104
Check Name: Seccomp policies disabled
Severity: MEDIUM
Message: container my-app of deployment my-app in default namespace should specify a seccomp profile
Resolution: Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv104
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0105
Check Name: Containers must not set runAsUser to 0
Severity: LOW
Message: securityContext.runAsUser should be set to a value greater than 0
Resolution: Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv105
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0106
Check Name: Container capabilities must only include NET_BIND_SERVICE
Severity: LOW
Message: container should drop all
Resolution: Set 'spec.containers[].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[].securityContext.capabilities.add'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv106
| @@ -0,0 +1,13 @@ | |||
| apiVersion: extensions/v1beta1 | |||
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0116
Check Name: Runs with a root primary or supplementary GID
Severity: LOW
Message: deployment my-app in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0
Resolution: Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv116
| - image: my-image | ||
| name: my-app | ||
| securityContext: | ||
| allowPrivilegeEscalation: true | ||
| runAsUser: 0 |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0014
Check Name: Root file system is not read-only
Severity: HIGH
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.readOnlyRootFilesystem' to true
Resolution: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv014
| @@ -0,0 +1,15 @@ | |||
| apiVersion: extensions/v1beta1 | |||
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-KSV-0104
Check Name: Seccomp policies disabled
Severity: MEDIUM
Message: container "my-app" of deployment "my-app" in "default" namespace should specify a seccomp profile
Resolution: Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/ksv104
No description provided.