TrueChartsCatalogClone/core/metallb/1.0.5/security.md

29 KiB
Raw Blame History

hide
toc

Security Overview

Helm-Chart

Scan Results

Chart Object: metallb/charts/metallb/templates/controller.yaml

Type Misconfiguration ID Check Severity Explaination Links
Kubernetes Security Check KSV011 CPU not limited LOW
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.limits.cpu'
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
Kubernetes Security Check KSV015 CPU requests not specified LOW
Expand... When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.requests.cpu'
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv015
Kubernetes Security Check KSV016 Memory requests not specified LOW
Expand... When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.requests.memory'
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv016
Kubernetes Security Check KSV018 Memory not limited LOW
Expand... Enforcing memory limits prevents DoS via resource exhaustion.


Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.limits.memory'
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv018
Kubernetes Security Check KSV020 Runs with low user ID MEDIUM
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Kubernetes Security Check KSV021 Runs with low group ID MEDIUM
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Kubernetes Security Check KSV029 A root primary or supplementary GID set LOW
Expand... Containers should be forbidden from running with a root primary or supplementary GID.


Deployment 'RELEASE-NAME-metallb-controller' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
No Misconfigurations found
Type Misconfiguration ID Check Severity Explaination Links
Kubernetes Security Check KSV009 Access to host network HIGH
Expand... Sharing the hosts network namespace permits processes in the pod to communicate with processes bound to the hosts loopback adapter.


DaemonSet 'RELEASE-NAME-metallb-speaker' should not set 'spec.template.spec.hostNetwork' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv009
Kubernetes Security Check KSV011 CPU not limited LOW
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.limits.cpu'
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
Kubernetes Security Check KSV015 CPU requests not specified LOW
Expand... When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.requests.cpu'
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv015
Kubernetes Security Check KSV016 Memory requests not specified LOW
Expand... When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.requests.memory'
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv016
Kubernetes Security Check KSV018 Memory not limited LOW
Expand... Enforcing memory limits prevents DoS via resource exhaustion.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.limits.memory'
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv018
Kubernetes Security Check KSV020 Runs with low user ID MEDIUM
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Kubernetes Security Check KSV021 Runs with low group ID MEDIUM
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Kubernetes Security Check KSV022 Non-default capabilities added MEDIUM
Expand... Adding NET_RAW or capabilities beyond the default set must be disallowed.


Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should not set 'securityContext.capabilities.add'
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv022

Containers

Detected Containers
    quay.io/metallb/controller:v0.12.1
    quay.io/metallb/speaker:v0.12.1
Scan Results

Container: quay.io/metallb/controller:v0.12.1 (alpine 3.15.0)

alpine

Package Vulnerability Severity Installed Version Fixed Version Links
libcrypto1.1 CVE-2022-0778 HIGH 1.1.1l-r7 1.1.1n-r0
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
libretls CVE-2022-0778 HIGH 3.3.4-r2 3.3.4-r3
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
libssl1.1 CVE-2022-0778 HIGH 1.1.1l-r7 1.1.1n-r0
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt

gobinary

Package Vulnerability Severity Installed Version Fixed Version Links
golang.org/x/text CVE-2021-38561 UNKNOWN v0.3.6 0.3.7
Expand...

Container: quay.io/metallb/speaker:v0.12.1 (alpine 3.15.0)

alpine

Package Vulnerability Severity Installed Version Fixed Version Links
libcrypto1.1 CVE-2022-0778 HIGH 1.1.1l-r7 1.1.1n-r0
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
libretls CVE-2022-0778 HIGH 3.3.4-r2 3.3.4-r3
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
libssl1.1 CVE-2022-0778 HIGH 1.1.1l-r7 1.1.1n-r0
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt

gobinary

Package Vulnerability Severity Installed Version Fixed Version Links
golang.org/x/text CVE-2021-38561 UNKNOWN v0.3.6 0.3.7
Expand...

gobinary

Package Vulnerability Severity Installed Version Fixed Version Links
golang.org/x/text CVE-2021-38561 UNKNOWN v0.3.6 0.3.7
Expand...