Update db-deployment.yaml - security context #7

Sysdig Pull Request Policy Evaluation

Sysdig Secure evaluated the Infrastructure-as-Code files in the pull request and identified violations to the following policies and zones:

Policies: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.5.0 • CIS Kubernetes V1.18 Benchmark • CIS Kubernetes V1.28 Benchmark • Sysdig Kubernetes

Zones: Entire Git • Voting-App-Zone

View more details at Sysdig docs

Summary

Severity:	🔴 High	🟠 Medium	🟡 Low
Count:	2	7	7

The following controls’ violations were identified:

Container with RunAsUser root or not set | 🔴 High | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment runAsUser in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

5.2.6 Minimize the admission of root containers [CIS Kubernetes V1.18 Benchmark]

5.2.7 Minimize the admission of root containers [CIS Kubernetes V1.28 Benchmark]

Container with writable root file system | 🔴 High | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment readOnlyRootFilesystem in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

1.2 - Immutable container filesystem [Sysdig Kubernetes]

Approved Registries | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment image in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

5.1.4 Minimize Container Registries to only those approved [CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.5.0]

Container using image without digest | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment image in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.4 - Container image tag [Sysdig Kubernetes]

Container with root group access | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment runAsGroup in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

1.6 - Container root group access [Sysdig Kubernetes]

Workload container default RunAsGroup root | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment runAsGroup in workload
/k8s-specifications/db-deployment.yaml

Failed Requirements:

1.1 - Workload Default SecurityContext [Sysdig Kubernetes]

Workload missing CPU limit | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment limits.cpu in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.2 - Missing container limits [Sysdig Kubernetes]

Workload missing memory limit | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment limits.memory in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.2 - Missing container limits [Sysdig Kubernetes]

Workload with writable volumes | 🟠 Medium | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment /var/lib/postgresql/data in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

1.3 - Immutable container volumes [Sysdig Kubernetes]

Container uid is host range | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment runAsUser in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

3.2 - Container overlap host UID Range [Sysdig Kubernetes]

5.2.6 Minimize the admission of root containers [CIS Kubernetes V1.18 Benchmark]

5.2.7 Minimize the admission of root containers [CIS Kubernetes V1.28 Benchmark]

Container without liveness probe | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment livenessProbe in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.5 - Container probes [Sysdig Kubernetes]

Container without readiness probe | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment readinessProbe in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.5 - Container probes [Sysdig Kubernetes]

Workload container default RunAsUser root | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment runAsUser in workload
/k8s-specifications/db-deployment.yaml

Failed Requirements:

1.1 - Workload Default SecurityContext [Sysdig Kubernetes]

Workload container default permits root | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment runAsNonRoot in workload
/k8s-specifications/db-deployment.yaml

Failed Requirements:

1.1 - Workload Default SecurityContext [Sysdig Kubernetes]

Workload missing CPU request | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment requests.cpu in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.1 - Missing container requirements [Sysdig Kubernetes]

Workload missing memory request | 🟡 Low | 1 Occurrences

Failed Resource Kind Resource Location Source

db Deployment requests.memory in container postgres
/k8s-specifications/db-deployment.yaml

Failed Requirements:

2.1 - Missing container requirements [Sysdig Kubernetes]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update db-deployment.yaml - security context #7

Uh oh!

Uh oh!

Update db-deployment.yaml - security context #7

Uh oh!

Sysdig Pull Request Policy Evaluation

Summary

Details

Re-running checks...

Update db-deployment.yaml - security context #7

Are you sure you want to change the base?

Uh oh!