60 KiB
60 KiB
hide | |
---|---|
|
Security Scan
Helm-Chart
Scan Results
Chart Object: metallb/charts/metallb/templates/controller.yaml
Type | Misconfiguration ID | Check | Severity | Explaination | Links |
---|---|---|---|---|---|
Kubernetes Security Check | KSV011 | CPU not limited | LOW | Expand...Enforcing CPU limits prevents DoS via resource exhaustion.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.limits.cpu' |
|
Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsNonRoot' to true |
|
Kubernetes Security Check | KSV015 | CPU requests not specified | LOW | Expand...When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.requests.cpu' |
|
Kubernetes Security Check | KSV016 | Memory requests not specified | LOW | Expand...When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.requests.memory' |
|
Kubernetes Security Check | KSV018 | Memory not limited | LOW | Expand...Enforcing memory limits prevents DoS via resource exhaustion.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'resources.limits.memory' |
|
Kubernetes Security Check | KSV019 | Seccomp policies disabled | MEDIUM | Expand...A program inside the container can bypass Seccomp protection policies.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should specify a seccomp profile |
|
Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsUser' > 10000 |
|
Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.Container 'controller' of Deployment 'RELEASE-NAME-metallb-controller' should set 'securityContext.runAsGroup' > 10000 |
No Misconfigurations found |
---|
Type | Misconfiguration ID | Check | Severity | Explaination | Links |
---|---|---|---|---|---|
Kubernetes Security Check | KSV009 | Access to host network | HIGH | Expand...Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.DaemonSet 'RELEASE-NAME-metallb-speaker' should not set 'spec.template.spec.hostNetwork' to true |
|
Kubernetes Security Check | KSV011 | CPU not limited | LOW | Expand...Enforcing CPU limits prevents DoS via resource exhaustion.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.limits.cpu' |
|
Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsNonRoot' to true |
|
Kubernetes Security Check | KSV015 | CPU requests not specified | LOW | Expand...When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.requests.cpu' |
|
Kubernetes Security Check | KSV016 | Memory requests not specified | LOW | Expand...When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.requests.memory' |
|
Kubernetes Security Check | KSV018 | Memory not limited | LOW | Expand...Enforcing memory limits prevents DoS via resource exhaustion.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'resources.limits.memory' |
|
Kubernetes Security Check | KSV019 | Seccomp policies disabled | MEDIUM | Expand...A program inside the container can bypass Seccomp protection policies.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should specify a seccomp profile |
|
Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsUser' > 10000 |
|
Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should set 'securityContext.runAsGroup' > 10000 |
|
Kubernetes Security Check | KSV022 | Non-default capabilities added | MEDIUM | Expand...Adding NET_RAW or capabilities beyond the default set must be disallowed.Container 'speaker' of DaemonSet 'RELEASE-NAME-metallb-speaker' should not set 'securityContext.capabilities.add' |
Containers
Detected Containers
quay.io/metallb/controller:v0.11.0
quay.io/metallb/speaker:v0.11.0
Scan Results
Container: quay.io/metallb/controller:v0.11.0 (alpine 3.14.2)
alpine
gobinary
Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
---|---|---|---|---|---|
golang.org/x/crypto | CVE-2020-29652 | HIGH | v0.0.0-20201002170205-7f63de1d35b0 | v0.0.0-20201216223049-8b5274cf687f | Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652https://go-review.googlesource.com/c/crypto/+/278852 https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 https://linux.oracle.com/cve/CVE-2020-29652.html https://linux.oracle.com/errata/ELSA-2021-1796.html https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E https://nvd.nist.gov/vuln/detail/CVE-2020-29652 |
Container: quay.io/metallb/speaker:v0.11.0 (alpine 3.14.2)
alpine
gobinary
Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
---|---|---|---|---|---|
golang.org/x/crypto | CVE-2020-29652 | HIGH | v0.0.0-20201002170205-7f63de1d35b0 | v0.0.0-20201216223049-8b5274cf687f | Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652https://go-review.googlesource.com/c/crypto/+/278852 https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 https://linux.oracle.com/cve/CVE-2020-29652.html https://linux.oracle.com/errata/ELSA-2021-1796.html https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E https://nvd.nist.gov/vuln/detail/CVE-2020-29652 |