github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-04-15 06:58:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
76c2f6afe02bea95337c12432c5684e83637c11f
kubescape/scapepkg/score/frameworkmock.json
dwertent 7da23c111e adding exceptions after merge
2021-09-05 17:29:53 +03:00

1214 lines
78 KiB
JSON
Raw Blame History

{
"name": "MITRE",
"controlReports": [{
"name": "Writable hostPath mount",
"ruleReports": [{
"name": "alert-rw-hostpath",
"remediation": "",
"ruleStatus": {
"status": "success",
"message": ""
},
"ruleResponses":
[
{
"alertMessage": "pod: etcd-david-virtualbox has: etcd-certs as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"annotations": {
"kubernetes.io/config.hash": "e0fcc6e4323055b5880f8aac4c950836",
"kubernetes.io/config.mirror": "e0fcc6e4323055b5880f8aac4c950836",
"kubernetes.io/config.seen": "2021-06-20T12:06:52.495386281+03:00",
"kubernetes.io/config.source": "file"
},
"creationTimestamp": "2021-06-20T09:08:22Z",
"labels": {
"component": "etcd",
"tier": "control-plane"
},
"name": "etcd-david-virtualbox",
"namespace": "kube-system",
"resourceVersion": "1301679",
"selfLink": "/api/v1/namespaces/kube-system/pods/etcd-david-virtualbox",
"uid": "154e7f87-907f-4edb-a73c-26e965d4fe02"
},
"spec": {
"containers": [{
"command": ["etcd", "--advertise-client-urls=https://10.0.2.15:2379", "--cert-file=/var/lib/minikube/certs/etcd/server.crt", "--client-cert-auth=true", "--data-dir=/var/lib/minikube/etcd", "--initial-advertise-peer-urls=https://10.0.2.15:2380", "--initial-cluster=david-virtualbox=https://10.0.2.15:2380", "--key-file=/var/lib/minikube/certs/etcd/server.key", "--listen-client-urls=https://127.0.0.1:2379,https://10.0.2.15:2379", "--listen-metrics-urls=http://127.0.0.1:2381,http://10.0.2.15:2381", "--listen-peer-urls=https://10.0.2.15:2380", "--name=david-virtualbox", "--peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt", "--peer-client-cert-auth=true", "--peer-key-file=/var/lib/minikube/certs/etcd/peer.key", "--peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt", "--snapshot-count=10000", "--trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt"],
"image": "k8s.gcr.io/etcd:3.3.15-0",
"imagePullPolicy": "IfNotPresent",
"livenessProbe": {
"failureThreshold": 8,
"httpGet": {
"host": "127.0.0.1",
"path": "/health",
"port": 2381,
"scheme": "HTTP"
},
"initialDelaySeconds": 15,
"periodSeconds": 10,
"successThreshold": 1,
"timeoutSeconds": 15
},
"name": "etcd",
"resources": {},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/var/lib/minikube/etcd",
"name": "etcd-data"
}, {
"mountPath": "/var/lib/minikube/certs/etcd",
"name": "etcd-certs"
}]
}],
"dnsPolicy": "ClusterFirst",
"enableServiceLinks": true,
"hostNetwork": true,
"nodeName": "david-virtualbox",
"priority": 2000000000,
"priorityClassName": "system-cluster-critical",
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"terminationGracePeriodSeconds": 30,
"tolerations": [{
"effect": "NoExecute",
"operator": "Exists"
}],
"volumes": [{
"hostPath": {
"path": "/var/lib/minikube/certs/etcd",
"type": "DirectoryOrCreate"
},
"name": "etcd-certs"
}, {
"hostPath": {
"path": "/var/lib/minikube/etcd",
"type": "DirectoryOrCreate"
},
"name": "etcd-data"
}]
},
"status": {
"conditions": [{
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:06Z",
"status": "True",
"type": "Initialized"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:08Z",
"status": "True",
"type": "Ready"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:08Z",
"status": "True",
"type": "ContainersReady"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:06Z",
"status": "True",
"type": "PodScheduled"
}],
"containerStatuses": [{
"containerID": "docker://bcb9f50b86a6f81026185efdbbc0f1a0d8acee397594916c999000aa07395da5",
"image": "k8s.gcr.io/etcd:3.3.15-0",
"imageID": "docker-pullable://k8s.gcr.io/etcd@sha256:12c2c5e5731c3bcd56e6f1c05c0f9198b6f06793fa7fca2fb43aab9622dc4afa",
"lastState": {
"terminated": {
"containerID": "docker://3d9c0a12b14c9afa88f022f01c70f430a8171f53600b18dc9b74542106ead33b",
"exitCode": 0,
"finishedAt": "2021-08-16T16:16:20Z",
"reason": "Completed",
"startedAt": "2021-08-15T06:14:03Z"
}
},
"name": "etcd",
"ready": true,
"restartCount": 35,
"started": true,
"state": {
"running": {
"startedAt": "2021-08-17T05:50:07Z"
}
}
}],
"hostIP": "10.0.2.15",
"phase": "Running",
"podIP": "10.0.2.15",
"podIPs": [{
"ip": "10.0.2.15"
}],
"qosClass": "BestEffort",
"startTime": "2021-08-17T05:50:06Z"
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}, {
"alertMessage": "pod: etcd-david-virtualbox has: etcd-data as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"annotations": {
"kubernetes.io/config.hash": "e0fcc6e4323055b5880f8aac4c950836",
"kubernetes.io/config.mirror": "e0fcc6e4323055b5880f8aac4c950836",
"kubernetes.io/config.seen": "2021-06-20T12:06:52.495386281+03:00",
"kubernetes.io/config.source": "file"
},
"creationTimestamp": "2021-06-20T09:08:22Z",
"labels": {
"component": "etcd",
"tier": "control-plane"
},
"name": "etcd-david-virtualbox",
"namespace": "kube-system",
"resourceVersion": "1301679",
"selfLink": "/api/v1/namespaces/kube-system/pods/etcd-david-virtualbox",
"uid": "154e7f87-907f-4edb-a73c-26e965d4fe02"
},
"spec": {
"containers": [{
"command": ["etcd", "--advertise-client-urls=https://10.0.2.15:2379", "--cert-file=/var/lib/minikube/certs/etcd/server.crt", "--client-cert-auth=true", "--data-dir=/var/lib/minikube/etcd", "--initial-advertise-peer-urls=https://10.0.2.15:2380", "--initial-cluster=david-virtualbox=https://10.0.2.15:2380", "--key-file=/var/lib/minikube/certs/etcd/server.key", "--listen-client-urls=https://127.0.0.1:2379,https://10.0.2.15:2379", "--listen-metrics-urls=http://127.0.0.1:2381,http://10.0.2.15:2381", "--listen-peer-urls=https://10.0.2.15:2380", "--name=david-virtualbox", "--peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt", "--peer-client-cert-auth=true", "--peer-key-file=/var/lib/minikube/certs/etcd/peer.key", "--peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt", "--snapshot-count=10000", "--trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt"],
"image": "k8s.gcr.io/etcd:3.3.15-0",
"imagePullPolicy": "IfNotPresent",
"livenessProbe": {
"failureThreshold": 8,
"httpGet": {
"host": "127.0.0.1",
"path": "/health",
"port": 2381,
"scheme": "HTTP"
},
"initialDelaySeconds": 15,
"periodSeconds": 10,
"successThreshold": 1,
"timeoutSeconds": 15
},
"name": "etcd",
"resources": {},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/var/lib/minikube/etcd",
"name": "etcd-data"
}, {
"mountPath": "/var/lib/minikube/certs/etcd",
"name": "etcd-certs"
}]
}],
"dnsPolicy": "ClusterFirst",
"enableServiceLinks": true,
"hostNetwork": true,
"nodeName": "david-virtualbox",
"priority": 2000000000,
"priorityClassName": "system-cluster-critical",
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"terminationGracePeriodSeconds": 30,
"tolerations": [{
"effect": "NoExecute",
"operator": "Exists"
}],
"volumes": [{
"hostPath": {
"path": "/var/lib/minikube/certs/etcd",
"type": "DirectoryOrCreate"
},
"name": "etcd-certs"
}, {
"hostPath": {
"path": "/var/lib/minikube/etcd",
"type": "DirectoryOrCreate"
},
"name": "etcd-data"
}]
},
"status": {
"conditions": [{
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:06Z",
"status": "True",
"type": "Initialized"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:08Z",
"status": "True",
"type": "Ready"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:08Z",
"status": "True",
"type": "ContainersReady"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:50:06Z",
"status": "True",
"type": "PodScheduled"
}],
"containerStatuses": [{
"containerID": "docker://bcb9f50b86a6f81026185efdbbc0f1a0d8acee397594916c999000aa07395da5",
"image": "k8s.gcr.io/etcd:3.3.15-0",
"imageID": "docker-pullable://k8s.gcr.io/etcd@sha256:12c2c5e5731c3bcd56e6f1c05c0f9198b6f06793fa7fca2fb43aab9622dc4afa",
"lastState": {
"terminated": {
"containerID": "docker://3d9c0a12b14c9afa88f022f01c70f430a8171f53600b18dc9b74542106ead33b",
"exitCode": 0,
"finishedAt": "2021-08-16T16:16:20Z",
"reason": "Completed",
"startedAt": "2021-08-15T06:14:03Z"
}
},
"name": "etcd",
"ready": true,
"restartCount": 35,
"started": true,
"state": {
"running": {
"startedAt": "2021-08-17T05:50:07Z"
}
}
}],
"hostIP": "10.0.2.15",
"phase": "Running",
"podIP": "10.0.2.15",
"podIPs": [{
"ip": "10.0.2.15"
}],
"qosClass": "BestEffort",
"startTime": "2021-08-17T05:50:06Z"
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}, {
"alertMessage": "pod: kube-controller-manager-david-virtualbox has: flexvolume-dir as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"annotations": {
"kubernetes.io/config.hash": "a16b2d5766eae37796e4a8ed7f8ce12a",
"kubernetes.io/config.mirror": "a16b2d5766eae37796e4a8ed7f8ce12a",
"kubernetes.io/config.seen": "2021-06-20T12:06:52.495389283+03:00",
"kubernetes.io/config.source": "file"
},
"creationTimestamp": "2021-06-20T09:08:00Z",
"labels": {
"component": "kube-controller-manager",
"tier": "control-plane"
},
"name": "kube-controller-manager-david-virtualbox",
"namespace": "kube-system",
"resourceVersion": "1301685",
"selfLink": "/api/v1/namespaces/kube-system/pods/kube-controller-manager-david-virtualbox",
"uid": "6ca9d32c-21c3-4c0e-8087-5445c80a2bcc"
},
"spec": {
"containers": [{
"command": ["kube-controller-manager", "--allocate-node-cidrs=true", "--authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", "--authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", "--bind-address=127.0.0.1", "--client-ca-file=/var/lib/minikube/certs/ca.crt", "--cluster-cidr=10.244.0.0/16", "--cluster-signing-cert-file=/var/lib/minikube/certs/ca.crt", "--cluster-signing-key-file=/var/lib/minikube/certs/ca.key", "--controllers=*,bootstrapsigner,tokencleaner", "--kubeconfig=/etc/kubernetes/controller-manager.conf", "--leader-elect=false", "--node-cidr-mask-size=24", "--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt", "--root-ca-file=/var/lib/minikube/certs/ca.crt", "--service-account-private-key-file=/var/lib/minikube/certs/sa.key", "--service-cluster-ip-range=10.96.0.0/12", "--use-service-account-credentials=true"],
"image": "k8s.gcr.io/kube-controller-manager:v1.16.0",
"imagePullPolicy": "IfNotPresent",
"livenessProbe": {
"failureThreshold": 8,
"httpGet": {
"host": "127.0.0.1",
"path": "/healthz",
"port": 10252,
"scheme": "HTTP"
},
"initialDelaySeconds": 15,
"periodSeconds": 10,
"successThreshold": 1,
"timeoutSeconds": 15
},
"name": "kube-controller-manager",
"resources": {
"requests": {
"cpu": "200m"
}
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/etc/ssl/certs",
"name": "ca-certs",
"readOnly": true
}, {
"mountPath": "/etc/ca-certificates",
"name": "etc-ca-certificates",
"readOnly": true
}, {
"mountPath": "/etc/pki",
"name": "etc-pki",
"readOnly": true
}, {
"mountPath": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec",
"name": "flexvolume-dir"
}, {
"mountPath": "/var/lib/minikube/certs",
"name": "k8s-certs",
"readOnly": true
}, {
"mountPath": "/etc/kubernetes/controller-manager.conf",
"name": "kubeconfig",
"readOnly": true
}, {
"mountPath": "/usr/local/share/ca-certificates",
"name": "usr-local-share-ca-certificates",
"readOnly": true
}, {
"mountPath": "/usr/share/ca-certificates",
"name": "usr-share-ca-certificates",
"readOnly": true
}]
}],
"dnsPolicy": "ClusterFirst",
"enableServiceLinks": true,
"hostNetwork": true,
"nodeName": "david-virtualbox",
"priority": 2000000000,
"priorityClassName": "system-cluster-critical",
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"terminationGracePeriodSeconds": 30,
"tolerations": [{
"effect": "NoExecute",
"operator": "Exists"
}],
"volumes": [{
"hostPath": {
"path": "/etc/ssl/certs",
"type": "DirectoryOrCreate"
},
"name": "ca-certs"
}, {
"hostPath": {
"path": "/etc/ca-certificates",
"type": "DirectoryOrCreate"
},
"name": "etc-ca-certificates"
}, {
"hostPath": {
"path": "/etc/pki",
"type": "DirectoryOrCreate"
},
"name": "etc-pki"
}, {
"hostPath": {
"path": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec",
"type": "DirectoryOrCreate"
},
"name": "flexvolume-dir"
}, {
"hostPath": {
"path": "/var/lib/minikube/certs",
"type": "DirectoryOrCreate"
},
"name": "k8s-certs"
}, {
"hostPath": {
"path": "/etc/kubernetes/controller-manager.conf",
"type": "FileOrCreate"
},
"name": "kubeconfig"
}, {
"hostPath": {
"path": "/usr/local/share/ca-certificates",
"type": "DirectoryOrCreate"
},
"name": "usr-local-share-ca-certificates"
}, {
"hostPath": {
"path": "/usr/share/ca-certificates",
"type": "DirectoryOrCreate"
},
"name": "usr-share-ca-certificates"
}]
},
"status": {
"conditions": [{
"lastProbeTime": null,
"lastTransitionTime": "2021-08-10T10:06:37Z",
"status": "True",
"type": "Initialized"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-15T06:14:12Z",
"status": "True",
"type": "Ready"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-15T06:14:12Z",
"status": "True",
"type": "ContainersReady"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-10T10:06:37Z",
"status": "True",
"type": "PodScheduled"
}],
"containerStatuses": [{
"containerID": "docker://bb1975f8808ae29cf443c4dff4e82623850190d7e4247e63571fda6c23ed8bab",
"image": "k8s.gcr.io/kube-controller-manager:v1.16.0",
"imageID": "docker-pullable://k8s.gcr.io/kube-controller-manager@sha256:c156a05ee9d40e3ca2ebf9337f38a10558c1fc6c9124006f128a82e6c38cdf3e",
"lastState": {
"terminated": {
"containerID": "docker://8988b28ff6588090bff373abb4726805716c7623a83364aa29e50a30e0671a81",
"exitCode": 2,
"finishedAt": "2021-08-16T16:16:20Z",
"reason": "Error",
"startedAt": "2021-08-15T06:14:10Z"
}
},
"name": "kube-controller-manager",
"ready": true,
"restartCount": 38,
"started": true,
"state": {
"running": {
"startedAt": "2021-08-17T05:50:07Z"
}
}
}],
"hostIP": "10.0.2.15",
"phase": "Running",
"podIP": "10.0.2.15",
"podIPs": [{
"ip": "10.0.2.15"
}],
"qosClass": "Burstable",
"startTime": "2021-08-10T10:06:37Z"
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}, {
"alertMessage": "pod: storage-provisioner has: tmp as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"integration-test\":\"storage-provisioner\"},\"name\":\"storage-provisioner\",\"namespace\":\"kube-system\"},\"spec\":{\"containers\":[{\"command\":[\"/storage-provisioner\"],\"image\":\"gcr.io/k8s-minikube/storage-provisioner:v4\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"storage-provisioner\",\"volumeMounts\":[{\"mountPath\":\"/tmp\",\"name\":\"tmp\"}]}],\"hostNetwork\":true,\"serviceAccountName\":\"storage-provisioner\",\"volumes\":[{\"hostPath\":{\"path\":\"/tmp\",\"type\":\"Directory\"},\"name\":\"tmp\"}]}}\n"
},
"creationTimestamp": "2021-06-20T09:07:09Z",
"labels": {
"addonmanager.kubernetes.io/mode": "Reconcile",
"integration-test": "storage-provisioner"
},
"name": "storage-provisioner",
"namespace": "kube-system",
"resourceVersion": "1301849",
"selfLink": "/api/v1/namespaces/kube-system/pods/storage-provisioner",
"uid": "ea5dc2e2-4f7a-49f4-9e88-37e8e2d741a5"
},
"spec": {
"containers": [{
"command": ["/storage-provisioner"],
"image": "gcr.io/k8s-minikube/storage-provisioner:v4",
"imagePullPolicy": "IfNotPresent",
"name": "storage-provisioner",
"resources": {},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/tmp",
"name": "tmp"
}, {
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
"name": "storage-provisioner-token-bbjlq",
"readOnly": true
}]
}],
"dnsPolicy": "ClusterFirst",
"enableServiceLinks": true,
"hostNetwork": true,
"nodeName": "david-virtualbox",
"priority": 0,
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"serviceAccount": "storage-provisioner",
"serviceAccountName": "storage-provisioner",
"terminationGracePeriodSeconds": 30,
"tolerations": [{
"effect": "NoExecute",
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"tolerationSeconds": 300
}, {
"effect": "NoExecute",
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"tolerationSeconds": 300
}],
"volumes": [{
"hostPath": {
"path": "/tmp",
"type": "Directory"
},
"name": "tmp"
}, {
"name": "storage-provisioner-token-bbjlq",
"secret": {
"defaultMode": 420,
"secretName": "storage-provisioner-token-bbjlq"
}
}]
},
"status": {
"conditions": [{
"lastProbeTime": null,
"lastTransitionTime": "2021-06-20T09:07:23Z",
"status": "True",
"type": "Initialized"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:51:01Z",
"status": "True",
"type": "Ready"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-08-17T05:51:01Z",
"status": "True",
"type": "ContainersReady"
}, {
"lastProbeTime": null,
"lastTransitionTime": "2021-06-20T09:07:23Z",
"status": "True",
"type": "PodScheduled"
}],
"containerStatuses": [{
"containerID": "docker://63ce793c99c71f557901a39c23d5bb6cad98e363fe382371abe38c760a09eee5",
"image": "gcr.io/k8s-minikube/storage-provisioner:v4",
"imageID": "docker-pullable://gcr.io/k8s-minikube/storage-provisioner@sha256:06f83c679a723d938b8776510d979c69549ad7df516279981e23554b3e68572f",
"lastState": {
"terminated": {
"containerID": "docker://b69e8f6288ca615d0292cfd31a9bd3e21b92fcce9152ff9341cdea4aa25b0d04",
"exitCode": 1,
"finishedAt": "2021-08-17T05:50:49Z",
"reason": "Error",
"startedAt": "2021-08-17T05:50:18Z"
}
},
"name": "storage-provisioner",
"ready": true,
"restartCount": 66,
"started": true,
"state": {
"running": {
"startedAt": "2021-08-17T05:51:00Z"
}
}
}],
"hostIP": "10.0.2.15",
"phase": "Running",
"podIP": "10.0.2.15",
"podIPs": [{
"ip": "10.0.2.15"
}],
"qosClass": "BestEffort",
"startTime": "2021-06-20T09:07:23Z"
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}, {
"alertMessage": "Deployment: ca-webhook has: docker-socket-volume as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"annotations": {
"deployment.kubernetes.io/revision": "1",
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"ca-webhook\",\"tier\":\"cyberarmor-system-control-plane\"},\"name\":\"ca-webhook\",\"namespace\":\"cyberarmor-system\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"ca-webhook\"}},\"template\":{\"metadata\":{\"annotations\":{\"certificate\":\"395eae367cb93800feb9c64c477f5bf8 ca.crt\"},\"labels\":{\"app\":\"ca-webhook\",\"tier\":\"cyberarmor-system-control-plane\"}},\"spec\":{\"containers\":[{\"args\":[\"-tlsCertFile=/etc/webhook/certs/tls.crt\",\"-tlsKeyFile=/etc/webhook/certs/tls.key\",\"-alsologtostderr\",\"-v=4\",\"2\\u003e\\u00261\"],\"env\":[{\"name\":\"CA_CLUSTER_NAME\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"clusterName\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_CUSTOMER_GUID\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"customerGUID\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_WEBHOOK_NAME\",\"value\":\"ca-webhook\"},{\"name\":\"CA_WEBHOOK_PORT\",\"value\":\"443\"},{\"name\":\"CA_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}},{\"name\":\"CA_DASHBOARD_BACKEND\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"dashboard\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_LOGIN_SECRET_NAME\",\"value\":\"ca-login\"},{\"name\":\"CA_ORACLE_SERVER\",\"value\":\"http://ca-oracle:4000\"},{\"name\":\"CA_NOTIFICATION_SERVER\",\"value\":\"http://ca-notification-server:8001\"},{\"name\":\"CA_OCIMAGE_URL\",\"value\":\"http://ca-ocimage:8080\"},{\"name\":\"CA_USE_DOCKER\",\"value\":\"true\"},{\"name\":\"CA_K8S_REPORT_URL\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"eventReceiverWS\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_EVENT_RECEIVER_HTTP\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"eventReceiverREST\",\"name\":\"armo-be-config\"}}}],\"image\":\"quay.io/armosec/k8s-ca-webhook-ubi:latest\",\"imagePullPolicy\":\"Always\",\"name\":\"ca-webhook\",\"ports\":[{\"containerPort\":443,\"name\":\"mutating-port\"},{\"containerPort\":8000,\"name\":\"readiness-port\"}],\"readinessProbe\":{\"httpGet\":{\"path\":\"/v1/readiness\",\"port\":\"readiness-port\"},\"initialDelaySeconds\":10,\"periodSeconds\":5},\"resources\":{\"limits\":{\"cpu\":\"1500m\",\"memory\":\"600Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"100Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/var/run/docker.sock\",\"name\":\"docker-socket-volume\"},{\"mountPath\":\"/cazips\",\"name\":\"zip-download\"},{\"mountPath\":\"/etc/webhook/certs\",\"name\":\"ca-cluster-certificate\",\"readOnly\":true},{\"mountPath\":\"/etc/credentials\",\"name\":\"ca-login\",\"readOnly\":true},{\"mountPath\":\"/etc/config\",\"name\":\"armo-be-config\",\"readOnly\":true}]}],\"serviceAccountName\":\"ca-controller-service-account\",\"volumes\":[{\"hostPath\":{\"path\":\"/var/run/docker.sock\"},\"name\":\"docker-socket-volume\"},{\"emptyDir\":{},\"name\":\"zip-download\"},{\"name\":\"ca-cluster-certificate\",\"secret\":{\"secretName\":\"ca-cluster-certificate\"}},{\"name\":\"ca-login\",\"secret\":{\"secretName\":\"ca-login\"}},{\"configMap\":{\"items\":[{\"key\":\"clusterData\",\"path\":\"clusterData.json\"}],\"name\":\"armo-be-config\"},\"name\":\"armo-be-config\"}]}}}}\n"
},
"creationTimestamp": "2021-08-18T05:22:32Z",
"generation": 1,
"labels": {
"app": "ca-webhook",
"tier": "cyberarmor-system-control-plane"
},
"name": "ca-webhook",
"namespace": "cyberarmor-system",
"resourceVersion": "1329860",
"selfLink": "/apis/apps/v1/namespaces/cyberarmor-system/deployments/ca-webhook",
"uid": "d7c4231f-b028-4257-a7b4-7bc59cc5c53b"
},
"spec": {
"progressDeadlineSeconds": 600,
"replicas": 1,
"revisionHistoryLimit": 10,
"selector": {
"matchLabels": {
"app": "ca-webhook"
}
},
"strategy": {
"rollingUpdate": {
"maxSurge": "25%",
"maxUnavailable": "25%"
},
"type": "RollingUpdate"
},
"template": {
"metadata": {
"annotations": {
"certificate": "395eae367cb93800feb9c64c477f5bf8 ca.crt"
},
"creationTimestamp": null,
"labels": {
"app": "ca-webhook",
"tier": "cyberarmor-system-control-plane"
}
},
"spec": {
"containers": [{
"args": ["-tlsCertFile=/etc/webhook/certs/tls.crt", "-tlsKeyFile=/etc/webhook/certs/tls.key", "-alsologtostderr", "-v=4", "2\u003e\u00261"],
"env": [{
"name": "CA_CLUSTER_NAME",
"valueFrom": {
"configMapKeyRef": {
"key": "clusterName",
"name": "armo-be-config"
}
}
}, {
"name": "CA_CUSTOMER_GUID",
"valueFrom": {
"configMapKeyRef": {
"key": "customerGUID",
"name": "armo-be-config"
}
}
}, {
"name": "CA_WEBHOOK_NAME",
"value": "ca-webhook"
}, {
"name": "CA_WEBHOOK_PORT",
"value": "443"
}, {
"name": "CA_NAMESPACE",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.namespace"
}
}
}, {
"name": "CA_DASHBOARD_BACKEND",
"valueFrom": {
"configMapKeyRef": {
"key": "dashboard",
"name": "armo-be-config"
}
}
}, {
"name": "CA_LOGIN_SECRET_NAME",
"value": "ca-login"
}, {
"name": "CA_ORACLE_SERVER",
"value": "http://ca-oracle:4000"
}, {
"name": "CA_NOTIFICATION_SERVER",
"value": "http://ca-notification-server:8001"
}, {
"name": "CA_OCIMAGE_URL",
"value": "http://ca-ocimage:8080"
}, {
"name": "CA_USE_DOCKER",
"value": "true"
}, {
"name": "CA_K8S_REPORT_URL",
"valueFrom": {
"configMapKeyRef": {
"key": "eventReceiverWS",
"name": "armo-be-config"
}
}
}, {
"name": "CA_EVENT_RECEIVER_HTTP",
"valueFrom": {
"configMapKeyRef": {
"key": "eventReceiverREST",
"name": "armo-be-config"
}
}
}],
"image": "quay.io/armosec/k8s-ca-webhook-ubi:latest",
"imagePullPolicy": "Always",
"name": "ca-webhook",
"ports": [{
"containerPort": 443,
"name": "mutating-port",
"protocol": "TCP"
}, {
"containerPort": 8000,
"name": "readiness-port",
"protocol": "TCP"
}],
"readinessProbe": {
"failureThreshold": 3,
"httpGet": {
"path": "/v1/readiness",
"port": "readiness-port",
"scheme": "HTTP"
},
"initialDelaySeconds": 10,
"periodSeconds": 5,
"successThreshold": 1,
"timeoutSeconds": 1
},
"resources": {
"limits": {
"cpu": "1500m",
"memory": "600Mi"
},
"requests": {
"cpu": "300m",
"memory": "100Mi"
}
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/var/run/docker.sock",
"name": "docker-socket-volume"
}, {
"mountPath": "/cazips",
"name": "zip-download"
}, {
"mountPath": "/etc/webhook/certs",
"name": "ca-cluster-certificate",
"readOnly": true
}, {
"mountPath": "/etc/credentials",
"name": "ca-login",
"readOnly": true
}, {
"mountPath": "/etc/config",
"name": "armo-be-config",
"readOnly": true
}]
}],
"dnsPolicy": "ClusterFirst",
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"serviceAccount": "ca-controller-service-account",
"serviceAccountName": "ca-controller-service-account",
"terminationGracePeriodSeconds": 30,
"volumes": [{
"hostPath": {
"path": "/var/run/docker.sock",
"type": ""
},
"name": "docker-socket-volume"
}, {
"emptyDir": {},
"name": "zip-download"
}, {
"name": "ca-cluster-certificate",
"secret": {
"defaultMode": 420,
"secretName": "ca-cluster-certificate"
}
}, {
"name": "ca-login",
"secret": {
"defaultMode": 420,
"secretName": "ca-login"
}
}, {
"configMap": {
"defaultMode": 420,
"items": [{
"key": "clusterData",
"path": "clusterData.json"
}],
"name": "armo-be-config"
},
"name": "armo-be-config"
}]
}
}
},
"status": {
"availableReplicas": 1,
"conditions": [{
"lastTransitionTime": "2021-08-18T05:23:08Z",
"lastUpdateTime": "2021-08-18T05:23:08Z",
"message": "Deployment has minimum availability.",
"reason": "MinimumReplicasAvailable",
"status": "True",
"type": "Available"
}, {
"lastTransitionTime": "2021-08-18T05:22:32Z",
"lastUpdateTime": "2021-08-18T05:23:08Z",
"message": "ReplicaSet \"ca-webhook-8595cb4cbb\" has successfully progressed.",
"reason": "NewReplicaSetAvailable",
"status": "True",
"type": "Progressing"
}],
"observedGeneration": 1,
"readyReplicas": 1,
"replicas": 1,
"updatedReplicas": 1
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}, {
"alertMessage": "Deployment: ca-websocket has: docker-socket-volume as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"annotations": {
"deployment.kubernetes.io/revision": "1",
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"ca-websocket\",\"tier\":\"cyberarmor-system-control-plane\"},\"name\":\"ca-websocket\",\"namespace\":\"cyberarmor-system\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"ca-websocket\"}},\"template\":{\"metadata\":{\"labels\":{\"app\":\"ca-websocket\",\"tier\":\"cyberarmor-system-control-plane\"}},\"spec\":{\"containers\":[{\"args\":[\"-alsologtostderr\",\"-v=4\",\"2\\u003e\\u00261\"],\"env\":[{\"name\":\"CA_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}},{\"name\":\"CA_USE_DOCKER\",\"value\":\"true\"},{\"name\":\"CA_VULN_SCAN_SCHEDULE\",\"value\":\"@every 11h\"},{\"name\":\"CA_POSTURE_SCAN_SCHEDULE\",\"value\":\"@every 12h\"},{\"name\":\"CA_DEBUG_SIGNER\",\"value\":null}],\"image\":\"quay.io/armosec/k8s-ca-websocket-ubi:latest\",\"imagePullPolicy\":\"Always\",\"name\":\"ca-websocket\",\"ports\":[{\"containerPort\":4002,\"name\":\"trigger-port\"},{\"containerPort\":8000,\"name\":\"readiness-port\"}],\"readinessProbe\":{\"httpGet\":{\"path\":\"/v1/readiness\",\"port\":\"readiness-port\"},\"initialDelaySeconds\":10,\"periodSeconds\":5},\"resources\":{\"limits\":{\"cpu\":\"1500m\",\"memory\":\"1000Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"200Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/var/run/docker.sock\",\"name\":\"docker-socket-volume\"},{\"mountPath\":\"/etc/credentials\",\"name\":\"ca-login\",\"readOnly\":true},{\"mountPath\":\"/etc/config\",\"name\":\"armo-be-config\",\"readOnly\":true}]}],\"serviceAccountName\":\"ca-controller-service-account\",\"volumes\":[{\"hostPath\":{\"path\":\"/var/run/docker.sock\"},\"name\":\"docker-socket-volume\"},{\"name\":\"ca-login\",\"secret\":{\"secretName\":\"ca-login\"}},{\"configMap\":{\"items\":[{\"key\":\"clusterData\",\"path\":\"clusterData.json\"}],\"name\":\"armo-be-config\"},\"name\":\"armo-be-config\"}]}}}}\n"
},
"creationTimestamp": "2021-08-18T05:22:31Z",
"generation": 1,
"labels": {
"app": "ca-websocket",
"tier": "cyberarmor-system-control-plane"
},
"name": "ca-websocket",
"namespace": "cyberarmor-system",
"resourceVersion": "1329790",
"selfLink": "/apis/apps/v1/namespaces/cyberarmor-system/deployments/ca-websocket",
"uid": "81780f9e-2675-41d8-a640-35971377d2a6"
},
"spec": {
"progressDeadlineSeconds": 600,
"replicas": 1,
"revisionHistoryLimit": 10,
"selector": {
"matchLabels": {
"app": "ca-websocket"
}
},
"strategy": {
"rollingUpdate": {
"maxSurge": "25%",
"maxUnavailable": "25%"
},
"type": "RollingUpdate"
},
"template": {
"metadata": {
"creationTimestamp": null,
"labels": {
"app": "ca-websocket",
"tier": "cyberarmor-system-control-plane"
}
},
"spec": {
"containers": [{
"args": ["-alsologtostderr", "-v=4", "2\u003e\u00261"],
"env": [{
"name": "CA_NAMESPACE",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.namespace"
}
}
}, {
"name": "CA_USE_DOCKER",
"value": "true"
}, {
"name": "CA_VULN_SCAN_SCHEDULE",
"value": "@every 11h"
}, {
"name": "CA_POSTURE_SCAN_SCHEDULE",
"value": "@every 12h"
}, {
"name": "CA_DEBUG_SIGNER"
}],
"image": "quay.io/armosec/k8s-ca-websocket-ubi:latest",
"imagePullPolicy": "Always",
"name": "ca-websocket",
"ports": [{
"containerPort": 4002,
"name": "trigger-port",
"protocol": "TCP"
}, {
"containerPort": 8000,
"name": "readiness-port",
"protocol": "TCP"
}],
"readinessProbe": {
"failureThreshold": 3,
"httpGet": {
"path": "/v1/readiness",
"port": "readiness-port",
"scheme": "HTTP"
},
"initialDelaySeconds": 10,
"periodSeconds": 5,
"successThreshold": 1,
"timeoutSeconds": 1
},
"resources": {
"limits": {
"cpu": "1500m",
"memory": "1000Mi"
},
"requests": {
"cpu": "300m",
"memory": "200Mi"
}
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/var/run/docker.sock",
"name": "docker-socket-volume"
}, {
"mountPath": "/etc/credentials",
"name": "ca-login",
"readOnly": true
}, {
"mountPath": "/etc/config",
"name": "armo-be-config",
"readOnly": true
}]
}],
"dnsPolicy": "ClusterFirst",
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"serviceAccount": "ca-controller-service-account",
"serviceAccountName": "ca-controller-service-account",
"terminationGracePeriodSeconds": 30,
"volumes": [{
"hostPath": {
"path": "/var/run/docker.sock",
"type": ""
},
"name": "docker-socket-volume"
}, {
"name": "ca-login",
"secret": {
"defaultMode": 420,
"secretName": "ca-login"
}
}, {
"configMap": {
"defaultMode": 420,
"items": [{
"key": "clusterData",
"path": "clusterData.json"
}],
"name": "armo-be-config"
},
"name": "armo-be-config"
}]
}
}
},
"status": {
"availableReplicas": 1,
"conditions": [{
"lastTransitionTime": "2021-08-18T05:22:46Z",
"lastUpdateTime": "2021-08-18T05:22:46Z",
"message": "Deployment has minimum availability.",
"reason": "MinimumReplicasAvailable",
"status": "True",
"type": "Available"
}, {
"lastTransitionTime": "2021-08-18T05:22:31Z",
"lastUpdateTime": "2021-08-18T05:22:46Z",
"message": "ReplicaSet \"ca-websocket-7dd46ffd9c\" has successfully progressed.",
"reason": "NewReplicaSetAvailable",
"status": "True",
"type": "Progressing"
}],
"observedGeneration": 1,
"readyReplicas": 1,
"replicas": 1,
"updatedReplicas": 1
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}, {
"alertMessage": "DaemonSet: kube-proxy has: xtables-lock as hostPath volume",
"packagename": "armo_builtins",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [{
"apiVersion": "apps/v1",
"kind": "DaemonSet",
"metadata": {
"annotations": {
"deprecated.daemonset.template.generation": "1"
},
"creationTimestamp": "2021-06-20T09:07:08Z",
"generation": 1,
"labels": {
"k8s-app": "kube-proxy"
},
"name": "kube-proxy",
"namespace": "kube-system",
"resourceVersion": "862497",
"selfLink": "/apis/apps/v1/namespaces/kube-system/daemonsets/kube-proxy",
"uid": "dd1ba553-66da-47bc-8bc1-79c4b2f47dab"
},
"spec": {
"revisionHistoryLimit": 10,
"selector": {
"matchLabels": {
"k8s-app": "kube-proxy"
}
},
"template": {
"metadata": {
"creationTimestamp": null,
"labels": {
"k8s-app": "kube-proxy"
}
},
"spec": {
"containers": [{
"command": ["/usr/local/bin/kube-proxy", "--config=/var/lib/kube-proxy/config.conf", "--hostname-override=$(NODE_NAME)"],
"env": [{
"name": "NODE_NAME",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "spec.nodeName"
}
}
}],
"image": "k8s.gcr.io/kube-proxy:v1.16.0",
"imagePullPolicy": "IfNotPresent",
"name": "kube-proxy",
"resources": {},
"securityContext": {
"privileged": true
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [{
"mountPath": "/var/lib/kube-proxy",
"name": "kube-proxy"
}, {
"mountPath": "/run/xtables.lock",
"name": "xtables-lock"
}, {
"mountPath": "/lib/modules",
"name": "lib-modules",
"readOnly": true
}]
}],
"dnsPolicy": "ClusterFirst",
"hostNetwork": true,
"nodeSelector": {
"beta.kubernetes.io/os": "linux"
},
"priorityClassName": "system-node-critical",
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"serviceAccount": "kube-proxy",
"serviceAccountName": "kube-proxy",
"terminationGracePeriodSeconds": 30,
"tolerations": [{
"key": "CriticalAddonsOnly",
"operator": "Exists"
}, {
"operator": "Exists"
}],
"volumes": [{
"configMap": {
"defaultMode": 420,
"name": "kube-proxy"
},
"name": "kube-proxy"
}, {
"hostPath": {
"path": "/run/xtables.lock",
"type": "FileOrCreate"
},
"name": "xtables-lock"
}, {
"hostPath": {
"path": "/lib/modules",
"type": ""
},
"name": "lib-modules"
}]
}
},
"updateStrategy": {
"rollingUpdate": {
"maxUnavailable": 1
},
"type": "RollingUpdate"
}
},
"status": {
"currentNumberScheduled": 1,
"desiredNumberScheduled": 1,
"numberAvailable": 1,
"numberMisscheduled": 0,
"numberReady": 1,
"observedGeneration": 1,
"updatedNumberScheduled": 1
}
}]
},
"context": null,
"rulename": "",
"exceptionName": ""
}],
"NumOfResources": 0
}],
"remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.",
"description": "Mounting host directory to the container can be used by attackers to get access to the underlying host."
}
]
}
Reference in New Issue View Git Blame Copy Permalink