DBP-1011-fix-tag-pattern #7
YannickEverscheck-helm-kics-on-pr.yaml
on: pull_request
scan_pr
/
Kics Helm Chart Scan
25s
Annotations
10 warnings
|
[MEDIUM] Container Running With Low UID:
status/templates/deployment.yaml#L34
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
|
[MEDIUM] NET_RAW Capabilities Not Being Dropped:
status/templates/deployment.yaml#L34
Containers should drop 'ALL' or at least 'NET_RAW' capabilities
|
|
[MEDIUM] Seccomp Profile Is Not Configured:
status/templates/deployment.yaml#L34
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
|
|
[MEDIUM] Service Account Token Automount Not Disabled:
status/templates/deployment.yaml#L26
Service Account Tokens are automatically mounted even if not necessary
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/configmap-files.yaml#L4
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/secret.yaml#L5
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/service.yaml#L3
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/configmap.yaml#L4
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Volume Mount With OS Directory Write Permissions:
status/templates/deployment.yaml#L113
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
|
|
[LOW] Container Requests Not Equal To It's Limits:
status/templates/deployment.yaml#L96
Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
|