Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kyverno findings #33

Closed
5 tasks
fty4 opened this issue Jul 31, 2023 · 1 comment
Closed
5 tasks

kyverno findings #33

fty4 opened this issue Jul 31, 2023 · 1 comment

Comments

@fty4
Copy link
Member

fty4 commented Jul 31, 2023

This issue was created to track all open kyverno findings with the current Helm chart.

For each distinct finding I've already created a PR or issue.
Some of them might already be merged but not yet released.

findings

1 - certs daps

  • solved
finding message
policy require-run-as-nonroot -> resource default/Job/chart-certsconsumer-cert-transfer-daps failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/containers/0/securityContext/

policy require-run-as-nonroot -> resource default/Job/chart-certsprovider-cert-transfer-daps failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/containers/0/securityContext/

Resolved via #30

2 - psql

  • solved
finding message
policy require-run-as-nonroot -> resource poc-argocd/StatefulSet/chart-consumer-postgresql failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/initContainers/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/

policy require-run-as-nonroot -> resource poc-argocd/StatefulSet/chart-provider-postgresql failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/initContainers/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/

Resolved via eclipse-tractusx/tractusx-edc#677

3 - tx edc non-root

  • solved - merged but not yet released
finding message
policy require-run-as-nonroot -> resource default/Pod/chart-edcconsumertest-controlplane-readiness failed:
1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/

policy require-run-as-nonroot -> resource default/Pod/chart-edcconsumertest-dataplane-readiness failed:
1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/

policy require-run-as-nonroot -> resource default/Pod/chart-edcprovidertest-controlplane-readiness failed:
1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/

policy require-run-as-nonroot -> resource default/Pod/chart-edcprovidertest-dataplane-readiness failed:
1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/

Resolved via eclipse-tractusx/tractusx-edc#637

4 - vault non-root (test)

  • solved
finding message
policy require-run-as-nonroot -> resource poc-argocd/Pod/chart-server-test failed:
1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/

Require Helm chart update from 0.20.0 to 0.25.0
Resolved via hashicorp/vault-helm#930

5 - description

  • solved
finding message
policy require-run-as-nonroot -> resource default/Deployment/chart-daps failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/0/securityContext/

Resolved via eclipse-tractusx/tractusx-edc#679

Additional information

These findings where detected on commit 4346500 after the kyverno wf was introduced.
By now or when e.g. v0.5.0 of the edc chart (without legacy) will be implemented the findings will change.

@almadigabor
Copy link
Contributor

Applying the Kyverno policies via workflow has been put on hold as it is not in the focus now and products should fix these issues in their own chart before implementing them as a dependency here. I'm closing this one and will create a new issue once it gets more relevance.

@almadigabor almadigabor closed this as not planned Won't fix, can't repro, duplicate, stale Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants