14 KiB
14 KiB
| hide | |
|---|---|
|
Security Overview
Helm-Chart
Scan Results
Chart Object: metallb/charts/metallb/templates/controller.yaml
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|---|---|---|---|---|---|
| Kubernetes Security Check | KSV011 | CPU not limited | LOW | Expand...Enforcing CPU limits prevents DoS via resource exhaustion.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.limits.cpu' |
|
| Kubernetes Security Check | KSV015 | CPU requests not specified | LOW | Expand...When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.requests.cpu' |
|
| Kubernetes Security Check | KSV016 | Memory requests not specified | LOW | Expand...When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.requests.memory' |
|
| Kubernetes Security Check | KSV018 | Memory not limited | LOW | Expand...Enforcing memory limits prevents DoS via resource exhaustion.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.limits.memory' |
|
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsUser' > 10000 |
|
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsGroup' > 10000 |
|
| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...Containers should be forbidden from running with a root primary or supplementary GID.Deployment 'RELEASE-NAME-metallb-controller' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 |
| No Misconfigurations found |
|---|
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|---|---|---|---|---|---|
| Kubernetes Security Check | KSV009 | Access to host network | HIGH | Expand...Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.DaemonSet 'RELEASE-NAME-metallb-speaker' should not set 'spec.template.spec.hostNetwork' to true |
|
| Kubernetes Security Check | KSV011 | CPU not limited | LOW | Expand...Enforcing CPU limits prevents DoS via resource exhaustion.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.limits.cpu' |
|
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsNonRoot' to true |
|
| Kubernetes Security Check | KSV015 | CPU requests not specified | LOW | Expand...When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.requests.cpu' |
|
| Kubernetes Security Check | KSV016 | Memory requests not specified | LOW | Expand...When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.requests.memory' |
|
| Kubernetes Security Check | KSV018 | Memory not limited | LOW | Expand...Enforcing memory limits prevents DoS via resource exhaustion.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.limits.memory' |
|
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsUser' > 10000 |
|
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsGroup' > 10000 |
|
| Kubernetes Security Check | KSV022 | Non-default capabilities added | MEDIUM | Expand...Adding NET_RAW or capabilities beyond the default set must be disallowed.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should not set 'securityContext.capabilities.add' |
Containers
Detected Containers
quay.io/metallb/controller:v0.12.1
quay.io/metallb/speaker:v0.12.1
Scan Results
Container: quay.io/metallb/controller:v0.12.1 (alpine 3.15.0)
alpine
| No Vulnerabilities found |
|---|
gobinary
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|---|---|---|---|---|---|
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.6 | 0.3.7 | Expand... |
Container: quay.io/metallb/speaker:v0.12.1 (alpine 3.15.0)
alpine
| No Vulnerabilities found |
|---|
gobinary
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|---|---|---|---|---|---|
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.6 | 0.3.7 | Expand... |
gobinary
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|---|---|---|---|---|---|
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.6 | 0.3.7 | Expand... |