C-0004 - Memory Limit Request False-Positive

[dwertent]

Copied from here

Kubescape version: v2.0.164

Description:
Kubescape will always report a finding for control 0004 on Deployments. I am scanning in an air-gapped environment, with a custom framework and exception file.

Testing:
Scanning the following yaml (with Mem limits and requests specified = spec.template.spec.containers[0].resources) - kubescape reports a finding on this control

apiVersion: apps/v1
kind: Deployment
metadata:
  generation: 19
  labels:
    app: dtr-customer-myapp
  name: dtr-customer-myapp
  namespace: dtr-customer
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: dtr-customer-myapp
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: dtr-customer-myapp
    spec:
      containers:
      - envFrom:
        - configMapRef:
            name: dtr-customer-myapp-configmap
        - secretRef:
            name: dtr-customer-myapp-secrets
        image: myrepo.domain.com/cre/dtr-customer-myapp:1.1.1
        imagePullPolicy: IfNotPresent
        name: dtr-customer-myapp
        ports:
        - containerPort: 343
          protocol: TCP
        resources:
          limits:
            cpu: 450m
            memory: "512Mi"
          requests:
            cpu: 100m
            memory: "200Mi"
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: myimagesecret
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      topologySpreadConstraints:
      - labelSelector:
          matchLabels:
            app: dtr-customer-myapp
        maxSkew: 1
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: ScheduleAnyway

> ./kubescape scan framework dtr --use-artifacts-from kubescape-artifacts/ --verbose testing/dtr-deploy.yaml

################################################################################
Source: /opt/testing/deploy.yaml
ApiVersion: apps/v1
Kind: Deployment
Name: dtr-customer-myapp
Namespace: dtr-customer

Controls: 15 (Failed: 3, Excluded: 0)

+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
| SEVERITY |          CONTROL NAME          |                DOCS                |                              ASSISTANT REMEDIATION                              |
+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
| High     | Resources memory limit and     | https://hub.armosec.io/docs/c-0004 | spec.template.spec.containers[0].resources.limits.memory                        |
|          | request                        |                                    |                                                                                 |
+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
| Medium   | Allow privilege escalation     | https://hub.armosec.io/docs/c-0016 | spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false |
+          +--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
|          | Non-root containers            | https://hub.armosec.io/docs/c-0013 | spec.template.spec.securityContext.runAsNonRoot=true                            |
|          |                                |                                    | spec.template.spec.securityContext.allowPrivilegeEscalation=false               |
+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+

[matheensyedaslam]

Any update on this facing same issue

[matheensyedaslam]

Any turn-around?

[yuleib]

hi @matheensyedaslam - we moved this issue for internal review for the R&D team.
We will provide a fix for that, i will let you know once this issue will be solved.

[matheensyedaslam]

Any interim fix ?

[kooomix]

hi @matheensyedaslam

Please note this control will also fail if limits is exceeded by custom configurations. See control doc here.

I offer the following steps:

1. Check your controls input under kubescape-artifacts/.
2. If you have the limits configured, set the value to empty list and try again.
3. For best experience, please make sure you have the latest kubescape version installed.

Please let us know if issue is resolved for you.

Eran

[yuleib]

hey @matheensyedaslam , can you please check if @kooomix feedback above assist that ?

[matheensyedaslam]

Still facing same issue I have configured controls-inputs.json with limits and it fails to detect it as mentioned in BUG: #536
The Issue still exists we can't configure C-004 and C-0050 for threshold detection