Add more security options to be defined by helm chart values to fix high risk vulnerabilities raised by CheckMarx KICS #22
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
When running security scans such as CheckMarx KICS, there are a couple of security high risk vulnerabilities raised:
Privilege Escalation Allowed
Platform: Kubernetes Category: Insecure Configurations
Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent processhttps://kubernetes.io/docs/tasks/configure-pod-container/security-context/
dapr_operator/templates/dapr_operator_deployment.yaml Line 1
dapr_sentry/templates/dapr_sentry_deployment.yaml Line 1
dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml Line 1
Expected: metadata.name={{dapr-operator}}.spec.template.spec.containers.name={{dapr-operator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false Found: metadata.name={{dapr-operator}}.spec.template.spec.containers.name={{dapr-operator}}.securityContext.allowPrivilegeEscalation is undefined
Role Binding To Default Service Account
Platform: Kubernetes Category: Insecure Defaults
No role nor cluster role should bind to a default service accounthttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
dapr_rbac/templates/secret-reader.yaml Line 26
Expected: subjects.kind=ServiceAccount.name should not be default Found: subjects.kind=ServiceAccount.name is default
25 {{- end }}
26subjects:
27- kind: ServiceAccount
And some other medium vulnerabilities as well.
So, it would be very useful to allow users to customize those settings using helm values. For example, adding values such as "allowPrivilegeEscalation" to values.yaml and templates.
The text was updated successfully, but these errors were encountered: