From 66463d942d945fe9f41cf669e43f72a8b04104e5 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Sun, 22 Aug 2021 21:29:29 -0500 Subject: [PATCH 01/36] adding control plane limits --- chart/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index d28608e..83cd575 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -27,13 +27,13 @@ ingressGateways: extraLabels: {} # Automatic labels: 'app: {ingress gateway name}' and `istio: ingressgateway` k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec # hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80% - resources: {} - # requests: - # cpu: 500m - # memory: 1Gi - # limits: - # cpu: 1.5 - # memory: 3Gi + resources: + requests: + cpu: 1.5 + memory: 2Gi + limits: + cpu: 1.5 + memory: 2Gi service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup -- GitLab From 97a62dbedde536864f48862aec2ff03c8c381ce1 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Mon, 23 Aug 2021 19:13:36 -0500 Subject: [PATCH 02/36] adding control plane proxy changes --- chart/templates/controlplane.yaml | 10 ++++++++++ chart/values.yaml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/chart/templates/controlplane.yaml b/chart/templates/controlplane.yaml index d1e7344..a82265a 100644 --- a/chart/templates/controlplane.yaml +++ b/chart/templates/controlplane.yaml @@ -115,6 +115,16 @@ spec: {{- if .Values.values.global }} {{- toYaml .Values.values.global | nindent 6 }} {{- end }} + proxy: + image: proxyv2 + clusterDomain: "cluster.local" + resources: + requests: + cpu: 150m + memory: 128Mi + limits: + cpu: 150m + memory: 128Mi sidecarInjectorWebhook: rewriteAppHTTPProbe: true {{- if .Values.openshift }} diff --git a/chart/values.yaml b/chart/values.yaml index 83cd575..bc72c54 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -115,7 +115,7 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} + podAnnotations: {} # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} -- GitLab From b82122161072199690b93c135be4764958b58e08 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Mon, 23 Aug 2021 20:57:18 -0500 Subject: [PATCH 03/36] adding global control plane values --- chart/templates/controlplane.yaml | 10 ---------- chart/values.yaml | 13 +++++++++++-- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/chart/templates/controlplane.yaml b/chart/templates/controlplane.yaml index a82265a..d1e7344 100644 --- a/chart/templates/controlplane.yaml +++ b/chart/templates/controlplane.yaml @@ -115,16 +115,6 @@ spec: {{- if .Values.values.global }} {{- toYaml .Values.values.global | nindent 6 }} {{- end }} - proxy: - image: proxyv2 - clusterDomain: "cluster.local" - resources: - requests: - cpu: 150m - memory: 128Mi - limits: - cpu: 150m - memory: 128Mi sidecarInjectorWebhook: rewriteAppHTTPProbe: true {{- if .Values.openshift }} diff --git a/chart/values.yaml b/chart/values.yaml index bc72c54..daa61ff 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -154,8 +154,17 @@ cni: meshConfig: {} values: - global: {} - + global: + proxy: + image: proxyv2 + clusterDomain: "cluster.local" + resources: + requests: + cpu: 150m + memory: 128Mi + limits: + cpu: 150m + memory: 128Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From cff28103337d05084dfd6d758e0495c814b751ed Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Mon, 23 Aug 2021 22:56:55 -0500 Subject: [PATCH 04/36] adding global control plane values to annotations --- chart/gatekeeper-report.json | 3551 ++++++++++++++++++++++++++++++++++ chart/values.yaml | 6 +- 2 files changed, 3556 insertions(+), 1 deletion(-) create mode 100644 chart/gatekeeper-report.json diff --git a/chart/gatekeeper-report.json b/chart/gatekeeper-report.json new file mode 100644 index 0000000..762e473 --- /dev/null +++ b/chart/gatekeeper-report.json @@ -0,0 +1,3551 @@ +{ + "Name": "Automatic Istio Sidecar Injection", + "Description": "Namespaces must have automatic Istio Sidecar injection enabled.", + "Version": "v3.5.1", + "Parameters": { + "labels": [ + { + "allowedRegex": "^enabled", + "key": "istio-injection" + } + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/requiredlabels", + "Docs": "https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#injection", + "Related": "https://istio.io/latest/docs/reference/config/networking/sidecar/", + "TotalViolations": 10, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "you must provide labels: {\"istio-injection\"}", + "name": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "you must provide labels: {\"istio-injection\"}", + "name": "kube-public" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "you must provide labels: {\"istio-injection\"}", + "name": "kube-node-lease" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "you must provide labels: {\"istio-injection\"}", + "name": "bigbang" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "you must provide labels: {\"istio-injection\"}", + "name": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "Label does not satisfy allowed regex: ^enabled", + "name": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "Label does not satisfy allowed regex: ^enabled", + "name": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "Label does not satisfy allowed regex: ^enabled", + "name": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "Label does not satisfy allowed regex: ^enabled", + "name": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Namespace", + "message": "Label does not satisfy allowed regex: ^enabled", + "name": "istio-system" + } + ] +} +{ + "Name": "Required Labels", + "Description": "Containers must have the specified labels.", + "Version": "v3.5.1", + "Parameters": { + "labels": [ + { + "allowedRegex": "", + "key": "app.kubernetes.io/name" + }, + { + "allowedRegex": "", + "key": "app.kubernetes.io/instance" + }, + { + "allowedRegex": "", + "key": "app.kubernetes.io/version" + }, + { + "allowedRegex": "", + "key": "app.kubernetes.io/component" + }, + { + "allowedRegex": "", + "key": "app.kubernetes.io/part-of" + }, + { + "allowedRegex": "", + "key": "app.kubernetes.io/managed-by" + } + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/requiredlabels", + "Docs": "https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/", + "TotalViolations": 32, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "helm-controller-6c67b58f78-z68tg", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "kustomize-controller-d689c6688-7ftpn", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "notification-controller-65dffcb7-9kwsx", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "source-controller-5fdb69cc66-zmdmv", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\"}", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\"}", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/version\"}", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Deny Service Account Default", + "Description": "Pods are not allowed to use default SA.", + "Version": "v3.5.1", + "Source": "Unspecified", + "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server", + "Related": "https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller", + "TotalViolations": 1, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Default Service Account is not allowed for pod keycloak-postgresql-0 in namespace keycloak", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + } + ] +} +{ + "Name": "Privilege Escalation", + "Description": "Containers must not allow escalaton of privileges.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/allow-privilege-escalation", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", + "Related": "https://en.wikipedia.org/wiki/Privilege_escalation", + "TotalViolations": 33, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: velero", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: velero-plugin-for-aws", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: manager", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: kibana", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elastic-internal-init-config", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: kube-state-metrics", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: prometheus", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: config-reloader", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: fluent-bit", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: alertmanager", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: config-reloader", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: fluent-bit", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: fluent-bit", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: fluent-bit", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: grafana-sc-dashboard", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: grafana", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: grafana-sc-datasources", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: jaeger-jaeger-jaeger-operator", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: twistlock-console", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: keycloak-postgresql", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: nexus-repository-manager", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: keycloak", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: jaeger", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elasticsearch", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elastic-internal-init-filesystem", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elasticsearch", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elastic-internal-init-filesystem", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elasticsearch", + "name": "logging-ek-es-master-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Privilege escalation container is not allowed: elastic-internal-init-filesystem", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "SELinux", + "Description": "Containers may only use the SELnux options specified.", + "Version": "v3.5.1", + "Parameters": { + "allowedSELinuxOptions": [] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/selinux", + "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container", + "Related": "https://en.wikipedia.org/wiki/Security-Enhanced_Linux", + "TotalViolations": 0 +} +{ + "Name": "External IPs", + "Description": "Services may only contain specified external IPs.", + "Version": "v3.5.1", + "Parameters": { + "allowedIPs": [] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip", + "Docs": "https://kubernetes.io/docs/concepts/services-networking/service/#external-ips", + "TotalViolations": 0 +} +{ + "Name": "Host Filesystem Paths", + "Description": "Containers may only map volumes to the host node at the specified paths.", + "Version": "v3.5.1", + "Parameters": { + "allowedHostPaths": [] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/host-filesystem", + "Docs": "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath", + "TotalViolations": 16, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + } + ] +} +{ + "Name": "SysCtls", + "Description": "Containers must not use specified sysctls.", + "Version": "v3.5.1", + "Parameters": { + "forbiddenSysctls": [ + "*" + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/forbidden-sysctls", + "Docs": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#setting-sysctls-for-a-pod", + "Related": "https://man7.org/linux/man-pages/man8/sysctl.8.html", + "TotalViolations": 0 +} +{ + "Name": "Unique Ingress Hosts", + "Description": "Ingress hosts must be unique.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/uniqueingresshost", + "Docs": "https://kubernetes.io/docs/concepts/services-networking/ingress/", + "TotalViolations": 0 +} +{ + "Name": "Proc Mount", + "Description": "Containers may only use the specified ProcMount types.", + "Version": "v3.5.1", + "Parameters": { + "procMount": "Default" + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/proc-mount", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", + "TotalViolations": 0 +} +{ + "Name": "Probes", + "Description": "Container must have specified probes and probe types.", + "Version": "v3.5.1", + "Parameters": { + "probeTypes": [ + "tcpSocket", + "httpGet", + "exec" + ], + "probes": [ + "readinessProbe", + "livenessProbe" + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/requiredprobes", + "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "Related": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes", + "TotalViolations": 27, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container in your has no ", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Taints and Tolerations", + "Description": "Container must be configured according to specified taint and toleration rules.", + "Version": "v3.5.1", + "Parameters": { + "allowGlobalToleration": false, + "restrictedTaint": { + "effect": "NoSchedule", + "key": "privileged", + "value": "true" + } + }, + "Source": "https://github.com/stackrox/blog-examples/tree/master/code/opa-gatekeeper-taint-tolerations", + "Docs": "https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/", + "Related": "https://www.openshift.com/blog/better-kubernetes-security-with-open-policy-agent-opa-part-2", + "TotalViolations": 0 +} +{ + "Name": "Istio Sidecar in Containers", + "Description": "Containers must have Istio Sidecar injection enabled.", + "Version": "v3.5.1", + "Parameters": { + "annotations": [ + { + "disallowedRegex": "^false", + "key": "sidecar.istio.io/inject" + } + ] + }, + "Source": "Unspecified", + "Docs": "https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#injection", + "Related": "https://istio.io/latest/docs/reference/config/networking/sidecar/", + "TotalViolations": 0 +} +{ + "Name": "Host Network Ports", + "Description": "Container images may only use host ports that are specified.", + "Version": "v3.5.1", + "Parameters": { + "hostNetwork": false + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/host-network-ports", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hosts-namespaces", + "Related": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces", + "TotalViolations": 0 +} +{ + "Name": "Image Repositories", + "Description": "Container images must be pulled from the specified repositories.", + "Version": "v3.5.1", + "Parameters": { + "exemptContainers": [], + "repos": [ + "registry1.dso.mil", + "registry.dso.mil" + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/allowedrepos", + "Docs": "https://kubernetes.io/docs/concepts/containers/images/", + "TotalViolations": 0 +} +{ + "Name": "Ingress on HTTPS Only", + "Description": "Ingress must only allow HTTPS connections.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/httpsonly", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec", + "Related": "https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-xlb#disabling_http", + "TotalViolations": 0 +} +{ + "Name": "Resource Ratio", + "Description": "Container resource limits to requests ratio must not be higher than specified.", + "Version": "v3.5.1", + "Parameters": { + "ratio": "2" + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/containerresourceratios", + "Docs": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", + "TotalViolations": 19, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <100m> is higher than the maximum allowed ratio of <2>", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <600m> is higher than the maximum allowed ratio of <2>", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container memory limit <2Gi> is higher than the maximum allowed ratio of <2>", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <300m> is higher than the maximum allowed ratio of <2>", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container memory limit <1500Mi> is higher than the maximum allowed ratio of <2>", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource requests", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource requests", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource requests", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource requests", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <500m> is higher than the maximum allowed ratio of <2>", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container memory limit <1Gi> is higher than the maximum allowed ratio of <2>", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <4> is higher than the maximum allowed ratio of <2>", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <4> is higher than the maximum allowed ratio of <2>", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <2> is higher than the maximum allowed ratio of <2>", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Volume Types", + "Description": "Containers may only use the specified volume types in volume mounts.", + "Version": "v3.5.1", + "Parameters": { + "volumes": [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim" + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/volumes", + "Docs": "https://kubernetes.io/docs/concepts/storage/volumes/#volume-types", + "TotalViolations": 0 +} +{ + "Name": "Unique Service Selector", + "Description": "Services must have unique selectors within a namespace.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/uniqueserviceselector", + "Docs": "https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service", + "Related": "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors", + "TotalViolations": 50, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "kubernetes", + "namespace": "default" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "notification-controller", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "webhook-receiver", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "logging-ek-es-transport", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "logging-ek-es-http", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "keycloak-headless", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "keycloak-http", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-collector-headless", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-collector-headless", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-collector-headless", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-collector", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-collector", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-collector", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-query", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-query", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-query", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-agent", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-agent", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Service", + "message": "same selector as service in namespace ", + "name": "jaeger-agent", + "namespace": "jaeger" + } + ] +} +{ + "Name": "Privilged Containers", + "Description": "Containers must not run as privileged.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/privileged-containers", + "Docs": "https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers", + "TotalViolations": 0 +} +{ + "Name": "Read-only Root Filesystem", + "Description": "Containers must have read-only root filesystems.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/read-only-root-filesystem", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", + "TotalViolations": 30, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: velero", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: velero-plugin-for-aws", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: manager", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: kibana", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elastic-internal-init-config", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: kube-state-metrics", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: node-exporter", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: prometheus", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: config-reloader", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: alertmanager", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: config-reloader", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: grafana-sc-dashboard", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: grafana", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: grafana-sc-datasources", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: operator", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: jaeger-jaeger-jaeger-operator", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: keycloak-postgresql", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: nexus-repository-manager", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: keycloak", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: pgchecker", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: jaeger", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elasticsearch", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elastic-internal-init-filesystem", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elasticsearch", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elastic-internal-init-filesystem", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elasticsearch", + "name": "logging-ek-es-master-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "only read-only root filesystem container is allowed: elastic-internal-init-filesystem", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Host Namespace", + "Description": "Containers must not share the host's namespaces", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/host-namespaces", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hosts-namespaces", + "Related": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces", + "TotalViolations": 0 +} +{ + "Name": "Resource Limits", + "Description": "Containers must have cpu / memory limits and the values must be below the specified maximum.", + "Version": "v3.5.1", + "Parameters": { + "cpu": "2000m", + "exemptContainers": [ + "" + ], + "memory": "4G" + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/containerlimits", + "Docs": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", + "TotalViolations": 10, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container has no resource limits", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container memory limit <4Gi> is higher than the maximum allowed of <4G>", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <4> is higher than the maximum allowed of <2000m>", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container memory limit <4Gi> is higher than the maximum allowed of <4G>", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container cpu limit <4> is higher than the maximum allowed of <2000m>", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container memory limit <4Gi> is higher than the maximum allowed of <4G>", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Banned Image Tags", + "Description": "Container Images cannot use specified tags", + "Version": "v3.5.1", + "Parameters": { + "tags": [ + "latest" + ] + }, + "Source": "Unspecified", + "Docs": "https://kubernetes.io/docs/concepts/containers/images/#image-names", + "TotalViolations": 0 +} +{ + "Name": "Users and Groups", + "Description": "Containers must be run as one of the specified users and groups.", + "Version": "v3.5.1", + "Parameters": { + "fsGroup": { + "ranges": [ + { + "max": 65535, + "min": 1000 + } + ], + "rule": "MustRunAs" + }, + "runAsGroup": { + "ranges": [ + { + "max": 65535, + "min": 1000 + } + ], + "rule": "MustRunAs" + }, + "runAsUser": { + "rule": "MustRunAsNonRoot" + }, + "supplementalGroups": { + "ranges": [ + { + "max": 65535, + "min": 1000 + } + ], + "rule": "MustRunAs" + } + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/users", + "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", + "Related": "https://wiki.archlinux.org/title/users_and_groups", + "TotalViolations": 91, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "helm-controller-6c67b58f78-z68tg", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "helm-controller-6c67b58f78-z68tg", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "kustomize-controller-d689c6688-7ftpn", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "kustomize-controller-d689c6688-7ftpn", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "notification-controller-65dffcb7-9kwsx", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "notification-controller-65dffcb7-9kwsx", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "source-controller-5fdb69cc66-zmdmv", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "source-controller-5fdb69cc66-zmdmv", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container istio-operator is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container istio-operator is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container manager is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container kibana is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elastic-internal-init-config is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container kube-prometheus-stack is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container kube-state-metrics is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container opa-collector is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container opa-collector is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container opa-collector is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container opa-collector is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container prometheus is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container config-reloader is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container alertmanager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container config-reloader is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana-sc-dashboard is attempting to run as disallowed group 472. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana is attempting to run as disallowed group 472. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana-sc-datasources is attempting to run as disallowed group 472. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana-sc-dashboard is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana-sc-datasources is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana-sc-dashboard is attempting to run as disallowed group 472. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana is attempting to run as disallowed group 472. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container grafana-sc-datasources is attempting to run as disallowed group 472. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container operator is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container operator is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container operator is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container twistlock-console is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container twistlock-console is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container twistlock-console is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container twistlock-console is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container keycloak-postgresql is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container keycloak-postgresql is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container nexus-repository-manager is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container nexus-repository-manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container nexus-repository-manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container keycloak is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container keycloak is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container pgchecker is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container jaeger is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elasticsearch is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elastic-internal-init-filesystem is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elasticsearch is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elastic-internal-init-filesystem is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elasticsearch is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-es-master-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Container elastic-internal-init-filesystem is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Node Ports", + "Description": "Services must not use node ports.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/block-nodeport-services", + "Docs": "https://kubernetes.io/docs/concepts/services-networking/service/#nodeport", + "TotalViolations": 0 +} +{ + "Name": "Flex Volume Drivers", + "Description": "Containers may only use Flex Volumes with the specified drivers", + "Version": "v3.5.1", + "Parameters": { + "allowedFlexVolumes": [] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/flexvolume-drivers", + "Docs": "https://kubernetes.io/docs/concepts/storage/volumes/#flexvolume", + "Related": "https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md", + "TotalViolations": 0 +} +{ + "Name": "Seccomp", + "Description": "Containers may only use the specified seccomp profiles.", + "Version": "v3.5.1", + "Parameters": { + "allowedProfiles": [ + "runtime/default" + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/seccomp", + "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container", + "Related": "https://en.wikipedia.org/wiki/Seccomp", + "TotalViolations": 42, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: helm-controller-6c67b58f78-z68tg, container: manager, Allowed profiles: [\"runtime/default\"]", + "name": "helm-controller-6c67b58f78-z68tg", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: kustomize-controller-d689c6688-7ftpn, container: manager, Allowed profiles: [\"runtime/default\"]", + "name": "kustomize-controller-d689c6688-7ftpn", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: notification-controller-65dffcb7-9kwsx, container: manager, Allowed profiles: [\"runtime/default\"]", + "name": "notification-controller-65dffcb7-9kwsx", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: source-controller-5fdb69cc66-zmdmv, container: manager, Allowed profiles: [\"runtime/default\"]", + "name": "source-controller-5fdb69cc66-zmdmv", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: istio-operator-5f6cfb6d5b-zc4wq, container: istio-operator, Allowed profiles: [\"runtime/default\"]", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: velero-velero-8675454d6f-bmntn, container: velero, Allowed profiles: [\"runtime/default\"]", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: velero-velero-8675454d6f-bmntn, container: velero-plugin-for-aws, Allowed profiles: [\"runtime/default\"]", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: elastic-operator-0, container: manager, Allowed profiles: [\"runtime/default\"]", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-kb-6fb679b5dd-fppqv, container: kibana, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-kb-6fb679b5dd-fppqv, container: elastic-internal-init-config, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-kube-operator-6f5759d4db-d2dbm, container: kube-prometheus-stack, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-wmzcz, container: node-exporter, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-4md9s, container: node-exporter, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4, container: kube-state-metrics, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-pfxrs, container: node-exporter, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-7c6fb, container: node-exporter, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: opa-collector-689d87d98-8qtmh, container: opa-collector, Allowed profiles: [\"runtime/default\"]", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: prometheus-monitoring-monitoring-kube-prometheus-0, container: prometheus, Allowed profiles: [\"runtime/default\"]", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: prometheus-monitoring-monitoring-kube-prometheus-0, container: config-reloader, Allowed profiles: [\"runtime/default\"]", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-w6r8f, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: alertmanager-monitoring-monitoring-kube-alertmanager-0, container: alertmanager, Allowed profiles: [\"runtime/default\"]", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: alertmanager-monitoring-monitoring-kube-alertmanager-0, container: config-reloader, Allowed profiles: [\"runtime/default\"]", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-vbv5d, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-42hth, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-pxsjg, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-grafana-77fc445454-zkdd2, container: grafana-sc-dashboard, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-grafana-77fc445454-zkdd2, container: grafana, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-grafana-77fc445454-zkdd2, container: grafana-sc-datasources, Allowed profiles: [\"runtime/default\"]", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: kiali-kiali-kiali-operator-577b74d96-8hmvh, container: operator, Allowed profiles: [\"runtime/default\"]", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67, container: jaeger-jaeger-jaeger-operator, Allowed profiles: [\"runtime/default\"]", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: twistlock-console-65c7694cb-fqvvs, container: twistlock-console, Allowed profiles: [\"runtime/default\"]", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: keycloak-postgresql-0, container: keycloak-postgresql, Allowed profiles: [\"runtime/default\"]", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: nexus-repository-manager-8cb6f55fb-qp6pf, container: nexus-repository-manager, Allowed profiles: [\"runtime/default\"]", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: keycloak-0, container: keycloak, Allowed profiles: [\"runtime/default\"]", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: keycloak-0, container: pgchecker, Allowed profiles: [\"runtime/default\"]", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: jaeger-855f748464-kb52h, container: jaeger, Allowed profiles: [\"runtime/default\"]", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-0, container: elasticsearch, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-0, container: elastic-internal-init-filesystem, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-1, container: elasticsearch, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-1, container: elastic-internal-init-filesystem, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-es-master-0, container: elasticsearch, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-es-master-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "Seccomp profile is not allowed, pod: logging-ek-es-master-0, container: elastic-internal-init-filesystem, Allowed profiles: [\"runtime/default\"]", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Image Digests", + "Description": "Containers must use images with a digest instead of a tag.", + "Version": "v3.5.1", + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/imagedigests", + "Docs": "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "Related": "https://cloud.google.com/architecture/using-container-images", + "TotalViolations": 42, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "helm-controller-6c67b58f78-z68tg", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "kustomize-controller-d689c6688-7ftpn", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "notification-controller-65dffcb7-9kwsx", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "source-controller-5fdb69cc66-zmdmv", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container uses an image without a digest ", + "name": "logging-ek-es-master-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "initContainer uses an image without a digest ", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} +{ + "Name": "Linux Capabilities", + "Description": "Containers may only use specified Linux capabilities", + "Version": "v3.5.1", + "Parameters": { + "allowedCapabilities": [], + "requiredDropCapabilities": [ + "all" + ] + }, + "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities", + "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "Related": "https://man7.org/linux/man-pages/man7/capabilities.7.html", + "TotalViolations": 42, + "Violations": [ + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "helm-controller-6c67b58f78-z68tg", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "kustomize-controller-d689c6688-7ftpn", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "notification-controller-65dffcb7-9kwsx", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "source-controller-5fdb69cc66-zmdmv", + "namespace": "flux-system" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "istio-operator-5f6cfb6d5b-zc4wq", + "namespace": "istio-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "velero-velero-8675454d6f-bmntn", + "namespace": "velero" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "elastic-operator-0", + "namespace": "eck-operator" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-kb-6fb679b5dd-fppqv", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "opa-collector-689d87d98-8qtmh", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "prometheus-monitoring-monitoring-kube-prometheus-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-fluent-bit-w6r8f", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-fluent-bit-vbv5d", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-fluent-bit-42hth", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-fluent-bit-pxsjg", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", + "namespace": "monitoring" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", + "namespace": "kiali" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "twistlock-console-65c7694cb-fqvvs", + "namespace": "twistlock" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "keycloak-postgresql-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "nexus-repository-manager-8cb6f55fb-qp6pf", + "namespace": "nexus-repository-manager" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "keycloak-0", + "namespace": "keycloak" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "jaeger-855f748464-kb52h", + "namespace": "jaeger" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-es-data-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-es-data-1", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-es-master-0", + "namespace": "logging" + }, + { + "enforcementAction": "dryrun", + "kind": "Pod", + "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", + "name": "logging-ek-es-master-0", + "namespace": "logging" + } + ] +} diff --git a/chart/values.yaml b/chart/values.yaml index daa61ff..14a9d51 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -115,7 +115,11 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} + podAnnotations: + sidecar.istio.io/proxyCPU: 150m + sidecar.istio.io/proxyCPULimit: 150m + sidecar.istio.io/proxyMemory: 128Mi + sidecar.istio.io/proxyMemoryLimit: 128Mi # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} -- GitLab From 7bc8ca826edacd6a685dab577d1d4a0d3254e77e Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Mon, 23 Aug 2021 23:00:14 -0500 Subject: [PATCH 05/36] adding global control plane values to annotations --- chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 14a9d51..c1a9f70 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -116,10 +116,10 @@ istiod: strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: - sidecar.istio.io/proxyCPU: 150m - sidecar.istio.io/proxyCPULimit: 150m - sidecar.istio.io/proxyMemory: 128Mi - sidecar.istio.io/proxyMemoryLimit: 128Mi + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi" # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} -- GitLab From 783ab3cdf04f6f0b5da904f6cacbf0daa5815951 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 13:43:25 -0500 Subject: [PATCH 06/36] removing global control plane values to annotation --- chart/values.yaml | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index c1a9f70..524553e 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -115,11 +115,11 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi" + podAnnotations: {} + #sidecar.istio.io/proxyCPU: "150m" + #sidecar.istio.io/proxyCPULimit: "150m" + #sidecar.istio.io/proxyMemory: "128Mi" + #sidecar.istio.io/proxyMemoryLimit: "128Mi" # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} @@ -157,18 +157,17 @@ cni: # global istiooperator values: meshConfig: {} -values: - global: - proxy: - image: proxyv2 - clusterDomain: "cluster.local" - resources: - requests: - cpu: 150m - memory: 128Mi - limits: - cpu: 150m - memory: 128Mi +Values: + values: + global: + proxy: + resources: + requests: + cpu: 150m + memory: 128Mi + limits: + cpu: 150m + memory: 128Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From 8e52877e414641a813ad581a99a1026f1afa59b9 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 14:35:07 -0500 Subject: [PATCH 07/36] removing global control plane values to annotation --- chart/values.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 524553e..c956600 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,8 +37,16 @@ ingressGateways: service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup - podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi" # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + serviceAnnotations: + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi" # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -- GitLab From 9575ebf5f21ec0c4130ae1eb941174ee1c5a0492 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 17:36:46 -0500 Subject: [PATCH 08/36] adding final values.yaml --- chart/gatekeeper-report.json | 3551 ---------------------------------- 1 file changed, 3551 deletions(-) delete mode 100644 chart/gatekeeper-report.json diff --git a/chart/gatekeeper-report.json b/chart/gatekeeper-report.json deleted file mode 100644 index 762e473..0000000 --- a/chart/gatekeeper-report.json +++ /dev/null @@ -1,3551 +0,0 @@ -{ - "Name": "Automatic Istio Sidecar Injection", - "Description": "Namespaces must have automatic Istio Sidecar injection enabled.", - "Version": "v3.5.1", - "Parameters": { - "labels": [ - { - "allowedRegex": "^enabled", - "key": "istio-injection" - } - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/requiredlabels", - "Docs": "https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#injection", - "Related": "https://istio.io/latest/docs/reference/config/networking/sidecar/", - "TotalViolations": 10, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "you must provide labels: {\"istio-injection\"}", - "name": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "you must provide labels: {\"istio-injection\"}", - "name": "kube-public" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "you must provide labels: {\"istio-injection\"}", - "name": "kube-node-lease" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "you must provide labels: {\"istio-injection\"}", - "name": "bigbang" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "you must provide labels: {\"istio-injection\"}", - "name": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "Label does not satisfy allowed regex: ^enabled", - "name": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "Label does not satisfy allowed regex: ^enabled", - "name": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "Label does not satisfy allowed regex: ^enabled", - "name": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "Label does not satisfy allowed regex: ^enabled", - "name": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Namespace", - "message": "Label does not satisfy allowed regex: ^enabled", - "name": "istio-system" - } - ] -} -{ - "Name": "Required Labels", - "Description": "Containers must have the specified labels.", - "Version": "v3.5.1", - "Parameters": { - "labels": [ - { - "allowedRegex": "", - "key": "app.kubernetes.io/name" - }, - { - "allowedRegex": "", - "key": "app.kubernetes.io/instance" - }, - { - "allowedRegex": "", - "key": "app.kubernetes.io/version" - }, - { - "allowedRegex": "", - "key": "app.kubernetes.io/component" - }, - { - "allowedRegex": "", - "key": "app.kubernetes.io/part-of" - }, - { - "allowedRegex": "", - "key": "app.kubernetes.io/managed-by" - } - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/requiredlabels", - "Docs": "https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/", - "TotalViolations": 32, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "helm-controller-6c67b58f78-z68tg", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "kustomize-controller-d689c6688-7ftpn", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "notification-controller-65dffcb7-9kwsx", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "source-controller-5fdb69cc66-zmdmv", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\"}", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\"}", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/version\"}", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "you must provide labels: {\"app.kubernetes.io/component\", \"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\", \"app.kubernetes.io/part-of\", \"app.kubernetes.io/version\"}", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Deny Service Account Default", - "Description": "Pods are not allowed to use default SA.", - "Version": "v3.5.1", - "Source": "Unspecified", - "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server", - "Related": "https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller", - "TotalViolations": 1, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Default Service Account is not allowed for pod keycloak-postgresql-0 in namespace keycloak", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - } - ] -} -{ - "Name": "Privilege Escalation", - "Description": "Containers must not allow escalaton of privileges.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/allow-privilege-escalation", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", - "Related": "https://en.wikipedia.org/wiki/Privilege_escalation", - "TotalViolations": 33, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: velero", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: velero-plugin-for-aws", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: manager", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: kibana", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elastic-internal-init-config", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: kube-state-metrics", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: prometheus", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: config-reloader", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: fluent-bit", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: alertmanager", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: config-reloader", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: fluent-bit", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: fluent-bit", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: fluent-bit", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: grafana-sc-dashboard", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: grafana", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: grafana-sc-datasources", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: jaeger-jaeger-jaeger-operator", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: twistlock-console", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: keycloak-postgresql", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: nexus-repository-manager", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: keycloak", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: jaeger", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elasticsearch", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elastic-internal-init-filesystem", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elasticsearch", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elastic-internal-init-filesystem", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elasticsearch", - "name": "logging-ek-es-master-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Privilege escalation container is not allowed: elastic-internal-init-filesystem", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "SELinux", - "Description": "Containers may only use the SELnux options specified.", - "Version": "v3.5.1", - "Parameters": { - "allowedSELinuxOptions": [] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/selinux", - "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container", - "Related": "https://en.wikipedia.org/wiki/Security-Enhanced_Linux", - "TotalViolations": 0 -} -{ - "Name": "External IPs", - "Description": "Services may only contain specified external IPs.", - "Version": "v3.5.1", - "Parameters": { - "allowedIPs": [] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip", - "Docs": "https://kubernetes.io/docs/concepts/services-networking/service/#external-ips", - "TotalViolations": 0 -} -{ - "Name": "Host Filesystem Paths", - "Description": "Containers may only map volumes to the host node at the specified paths.", - "Version": "v3.5.1", - "Parameters": { - "allowedHostPaths": [] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/host-filesystem", - "Docs": "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath", - "TotalViolations": 16, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-w6r8f. Allowed path: []", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-vbv5d. Allowed path: []", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-42hth. Allowed path: []", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log\", \"type\": \"\"}, \"name\": \"varlog\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/lib/docker/containers\", \"type\": \"\"}, \"name\": \"varlibdockercontainers\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/etc/machine-id\", \"type\": \"File\"}, \"name\": \"etcmachineid\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "HostPath volume {\"hostPath\": {\"path\": \"/var/log/flb-storage/\", \"type\": \"DirectoryOrCreate\"}, \"name\": \"flb-storage\"} is not allowed, pod: logging-fluent-bit-pxsjg. Allowed path: []", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - } - ] -} -{ - "Name": "SysCtls", - "Description": "Containers must not use specified sysctls.", - "Version": "v3.5.1", - "Parameters": { - "forbiddenSysctls": [ - "*" - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/forbidden-sysctls", - "Docs": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#setting-sysctls-for-a-pod", - "Related": "https://man7.org/linux/man-pages/man8/sysctl.8.html", - "TotalViolations": 0 -} -{ - "Name": "Unique Ingress Hosts", - "Description": "Ingress hosts must be unique.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/uniqueingresshost", - "Docs": "https://kubernetes.io/docs/concepts/services-networking/ingress/", - "TotalViolations": 0 -} -{ - "Name": "Proc Mount", - "Description": "Containers may only use the specified ProcMount types.", - "Version": "v3.5.1", - "Parameters": { - "procMount": "Default" - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/proc-mount", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", - "TotalViolations": 0 -} -{ - "Name": "Probes", - "Description": "Container must have specified probes and probe types.", - "Version": "v3.5.1", - "Parameters": { - "probeTypes": [ - "tcpSocket", - "httpGet", - "exec" - ], - "probes": [ - "readinessProbe", - "livenessProbe" - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/requiredprobes", - "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", - "Related": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes", - "TotalViolations": 27, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container in your has no ", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Taints and Tolerations", - "Description": "Container must be configured according to specified taint and toleration rules.", - "Version": "v3.5.1", - "Parameters": { - "allowGlobalToleration": false, - "restrictedTaint": { - "effect": "NoSchedule", - "key": "privileged", - "value": "true" - } - }, - "Source": "https://github.com/stackrox/blog-examples/tree/master/code/opa-gatekeeper-taint-tolerations", - "Docs": "https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/", - "Related": "https://www.openshift.com/blog/better-kubernetes-security-with-open-policy-agent-opa-part-2", - "TotalViolations": 0 -} -{ - "Name": "Istio Sidecar in Containers", - "Description": "Containers must have Istio Sidecar injection enabled.", - "Version": "v3.5.1", - "Parameters": { - "annotations": [ - { - "disallowedRegex": "^false", - "key": "sidecar.istio.io/inject" - } - ] - }, - "Source": "Unspecified", - "Docs": "https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#injection", - "Related": "https://istio.io/latest/docs/reference/config/networking/sidecar/", - "TotalViolations": 0 -} -{ - "Name": "Host Network Ports", - "Description": "Container images may only use host ports that are specified.", - "Version": "v3.5.1", - "Parameters": { - "hostNetwork": false - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/host-network-ports", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hosts-namespaces", - "Related": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces", - "TotalViolations": 0 -} -{ - "Name": "Image Repositories", - "Description": "Container images must be pulled from the specified repositories.", - "Version": "v3.5.1", - "Parameters": { - "exemptContainers": [], - "repos": [ - "registry1.dso.mil", - "registry.dso.mil" - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/allowedrepos", - "Docs": "https://kubernetes.io/docs/concepts/containers/images/", - "TotalViolations": 0 -} -{ - "Name": "Ingress on HTTPS Only", - "Description": "Ingress must only allow HTTPS connections.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/httpsonly", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec", - "Related": "https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-xlb#disabling_http", - "TotalViolations": 0 -} -{ - "Name": "Resource Ratio", - "Description": "Container resource limits to requests ratio must not be higher than specified.", - "Version": "v3.5.1", - "Parameters": { - "ratio": "2" - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/containerresourceratios", - "Docs": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "TotalViolations": 19, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <100m> is higher than the maximum allowed ratio of <2>", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <600m> is higher than the maximum allowed ratio of <2>", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container memory limit <2Gi> is higher than the maximum allowed ratio of <2>", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <300m> is higher than the maximum allowed ratio of <2>", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container memory limit <1500Mi> is higher than the maximum allowed ratio of <2>", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource requests", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource requests", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource requests", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource requests", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <500m> is higher than the maximum allowed ratio of <2>", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container memory limit <1Gi> is higher than the maximum allowed ratio of <2>", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <4> is higher than the maximum allowed ratio of <2>", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <4> is higher than the maximum allowed ratio of <2>", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <2> is higher than the maximum allowed ratio of <2>", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Volume Types", - "Description": "Containers may only use the specified volume types in volume mounts.", - "Version": "v3.5.1", - "Parameters": { - "volumes": [ - "configMap", - "emptyDir", - "projected", - "secret", - "downwardAPI", - "persistentVolumeClaim" - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/volumes", - "Docs": "https://kubernetes.io/docs/concepts/storage/volumes/#volume-types", - "TotalViolations": 0 -} -{ - "Name": "Unique Service Selector", - "Description": "Services must have unique selectors within a namespace.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/uniqueserviceselector", - "Docs": "https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service", - "Related": "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors", - "TotalViolations": 50, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "kubernetes", - "namespace": "default" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "notification-controller", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "webhook-receiver", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "logging-ek-es-transport", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "logging-ek-es-http", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "keycloak-headless", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "keycloak-http", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-collector-headless", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-collector-headless", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-collector-headless", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-collector", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-collector", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-collector", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-query", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-query", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-query", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-agent", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-agent", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Service", - "message": "same selector as service in namespace ", - "name": "jaeger-agent", - "namespace": "jaeger" - } - ] -} -{ - "Name": "Privilged Containers", - "Description": "Containers must not run as privileged.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/privileged-containers", - "Docs": "https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers", - "TotalViolations": 0 -} -{ - "Name": "Read-only Root Filesystem", - "Description": "Containers must have read-only root filesystems.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/read-only-root-filesystem", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", - "TotalViolations": 30, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: velero", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: velero-plugin-for-aws", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: manager", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: kibana", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elastic-internal-init-config", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: kube-state-metrics", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: node-exporter", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: prometheus", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: config-reloader", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: alertmanager", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: config-reloader", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: grafana-sc-dashboard", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: grafana", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: grafana-sc-datasources", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: operator", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: jaeger-jaeger-jaeger-operator", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: keycloak-postgresql", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: nexus-repository-manager", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: keycloak", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: pgchecker", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: jaeger", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elasticsearch", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elastic-internal-init-filesystem", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elasticsearch", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elastic-internal-init-filesystem", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elasticsearch", - "name": "logging-ek-es-master-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "only read-only root filesystem container is allowed: elastic-internal-init-filesystem", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Host Namespace", - "Description": "Containers must not share the host's namespaces", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/host-namespaces", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hosts-namespaces", - "Related": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces", - "TotalViolations": 0 -} -{ - "Name": "Resource Limits", - "Description": "Containers must have cpu / memory limits and the values must be below the specified maximum.", - "Version": "v3.5.1", - "Parameters": { - "cpu": "2000m", - "exemptContainers": [ - "" - ], - "memory": "4G" - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/containerlimits", - "Docs": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "TotalViolations": 10, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container has no resource limits", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container memory limit <4Gi> is higher than the maximum allowed of <4G>", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <4> is higher than the maximum allowed of <2000m>", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container memory limit <4Gi> is higher than the maximum allowed of <4G>", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container cpu limit <4> is higher than the maximum allowed of <2000m>", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container memory limit <4Gi> is higher than the maximum allowed of <4G>", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Banned Image Tags", - "Description": "Container Images cannot use specified tags", - "Version": "v3.5.1", - "Parameters": { - "tags": [ - "latest" - ] - }, - "Source": "Unspecified", - "Docs": "https://kubernetes.io/docs/concepts/containers/images/#image-names", - "TotalViolations": 0 -} -{ - "Name": "Users and Groups", - "Description": "Containers must be run as one of the specified users and groups.", - "Version": "v3.5.1", - "Parameters": { - "fsGroup": { - "ranges": [ - { - "max": 65535, - "min": 1000 - } - ], - "rule": "MustRunAs" - }, - "runAsGroup": { - "ranges": [ - { - "max": 65535, - "min": 1000 - } - ], - "rule": "MustRunAs" - }, - "runAsUser": { - "rule": "MustRunAsNonRoot" - }, - "supplementalGroups": { - "ranges": [ - { - "max": 65535, - "min": 1000 - } - ], - "rule": "MustRunAs" - } - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/users", - "Docs": "https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1", - "Related": "https://wiki.archlinux.org/title/users_and_groups", - "TotalViolations": 91, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "helm-controller-6c67b58f78-z68tg", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "helm-controller-6c67b58f78-z68tg", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "kustomize-controller-d689c6688-7ftpn", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "kustomize-controller-d689c6688-7ftpn", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "notification-controller-65dffcb7-9kwsx", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "notification-controller-65dffcb7-9kwsx", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "source-controller-5fdb69cc66-zmdmv", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "source-controller-5fdb69cc66-zmdmv", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container istio-operator is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container istio-operator is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container velero-plugin-for-aws is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container manager is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container kibana is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elastic-internal-init-config is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container kube-prometheus-stack is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container kube-state-metrics is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container node-exporter is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container opa-collector is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container opa-collector is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container opa-collector is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container opa-collector is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container prometheus is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container config-reloader is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container alertmanager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container config-reloader is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run as disallowed user 0. Allowed runAsUser: {\"rule\": \"MustRunAsNonRoot\"}", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container fluent-bit is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana-sc-dashboard is attempting to run as disallowed group 472. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana is attempting to run as disallowed group 472. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana-sc-datasources is attempting to run as disallowed group 472. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana-sc-dashboard is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana-sc-datasources is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana-sc-dashboard is attempting to run as disallowed group 472. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana is attempting to run as disallowed group 472. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container grafana-sc-datasources is attempting to run as disallowed group 472. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container operator is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container operator is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container operator is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger-jaeger-jaeger-operator is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container twistlock-console is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container twistlock-console is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container twistlock-console is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container twistlock-console is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container keycloak-postgresql is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container keycloak-postgresql is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container nexus-repository-manager is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container nexus-repository-manager is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container nexus-repository-manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container keycloak is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container keycloak is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container pgchecker is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container jaeger is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elasticsearch is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elastic-internal-init-filesystem is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elasticsearch is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elastic-internal-init-filesystem is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elasticsearch is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-es-master-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Container elastic-internal-init-filesystem is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {\"ranges\": [{\"max\": 65535, \"min\": 1000}], \"rule\": \"MustRunAs\"}", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Node Ports", - "Description": "Services must not use node ports.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/block-nodeport-services", - "Docs": "https://kubernetes.io/docs/concepts/services-networking/service/#nodeport", - "TotalViolations": 0 -} -{ - "Name": "Flex Volume Drivers", - "Description": "Containers may only use Flex Volumes with the specified drivers", - "Version": "v3.5.1", - "Parameters": { - "allowedFlexVolumes": [] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/flexvolume-drivers", - "Docs": "https://kubernetes.io/docs/concepts/storage/volumes/#flexvolume", - "Related": "https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md", - "TotalViolations": 0 -} -{ - "Name": "Seccomp", - "Description": "Containers may only use the specified seccomp profiles.", - "Version": "v3.5.1", - "Parameters": { - "allowedProfiles": [ - "runtime/default" - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/seccomp", - "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container", - "Related": "https://en.wikipedia.org/wiki/Seccomp", - "TotalViolations": 42, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: helm-controller-6c67b58f78-z68tg, container: manager, Allowed profiles: [\"runtime/default\"]", - "name": "helm-controller-6c67b58f78-z68tg", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: kustomize-controller-d689c6688-7ftpn, container: manager, Allowed profiles: [\"runtime/default\"]", - "name": "kustomize-controller-d689c6688-7ftpn", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: notification-controller-65dffcb7-9kwsx, container: manager, Allowed profiles: [\"runtime/default\"]", - "name": "notification-controller-65dffcb7-9kwsx", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: source-controller-5fdb69cc66-zmdmv, container: manager, Allowed profiles: [\"runtime/default\"]", - "name": "source-controller-5fdb69cc66-zmdmv", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: istio-operator-5f6cfb6d5b-zc4wq, container: istio-operator, Allowed profiles: [\"runtime/default\"]", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: velero-velero-8675454d6f-bmntn, container: velero, Allowed profiles: [\"runtime/default\"]", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: velero-velero-8675454d6f-bmntn, container: velero-plugin-for-aws, Allowed profiles: [\"runtime/default\"]", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: elastic-operator-0, container: manager, Allowed profiles: [\"runtime/default\"]", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-kb-6fb679b5dd-fppqv, container: kibana, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-kb-6fb679b5dd-fppqv, container: elastic-internal-init-config, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-kube-operator-6f5759d4db-d2dbm, container: kube-prometheus-stack, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-wmzcz, container: node-exporter, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-4md9s, container: node-exporter, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4, container: kube-state-metrics, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-pfxrs, container: node-exporter, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-prometheus-node-exporter-7c6fb, container: node-exporter, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: opa-collector-689d87d98-8qtmh, container: opa-collector, Allowed profiles: [\"runtime/default\"]", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: prometheus-monitoring-monitoring-kube-prometheus-0, container: prometheus, Allowed profiles: [\"runtime/default\"]", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: prometheus-monitoring-monitoring-kube-prometheus-0, container: config-reloader, Allowed profiles: [\"runtime/default\"]", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-w6r8f, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: alertmanager-monitoring-monitoring-kube-alertmanager-0, container: alertmanager, Allowed profiles: [\"runtime/default\"]", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: alertmanager-monitoring-monitoring-kube-alertmanager-0, container: config-reloader, Allowed profiles: [\"runtime/default\"]", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-vbv5d, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-42hth, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-fluent-bit-pxsjg, container: fluent-bit, Allowed profiles: [\"runtime/default\"]", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-grafana-77fc445454-zkdd2, container: grafana-sc-dashboard, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-grafana-77fc445454-zkdd2, container: grafana, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: monitoring-monitoring-grafana-77fc445454-zkdd2, container: grafana-sc-datasources, Allowed profiles: [\"runtime/default\"]", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: kiali-kiali-kiali-operator-577b74d96-8hmvh, container: operator, Allowed profiles: [\"runtime/default\"]", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67, container: jaeger-jaeger-jaeger-operator, Allowed profiles: [\"runtime/default\"]", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: twistlock-console-65c7694cb-fqvvs, container: twistlock-console, Allowed profiles: [\"runtime/default\"]", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: keycloak-postgresql-0, container: keycloak-postgresql, Allowed profiles: [\"runtime/default\"]", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: nexus-repository-manager-8cb6f55fb-qp6pf, container: nexus-repository-manager, Allowed profiles: [\"runtime/default\"]", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: keycloak-0, container: keycloak, Allowed profiles: [\"runtime/default\"]", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: keycloak-0, container: pgchecker, Allowed profiles: [\"runtime/default\"]", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: jaeger-855f748464-kb52h, container: jaeger, Allowed profiles: [\"runtime/default\"]", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-0, container: elasticsearch, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-0, container: elastic-internal-init-filesystem, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-1, container: elasticsearch, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-es-data-1, container: elastic-internal-init-filesystem, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-es-master-0, container: elasticsearch, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-es-master-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "Seccomp profile is not allowed, pod: logging-ek-es-master-0, container: elastic-internal-init-filesystem, Allowed profiles: [\"runtime/default\"]", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Image Digests", - "Description": "Containers must use images with a digest instead of a tag.", - "Version": "v3.5.1", - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/imagedigests", - "Docs": "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "Related": "https://cloud.google.com/architecture/using-container-images", - "TotalViolations": 42, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "helm-controller-6c67b58f78-z68tg", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "kustomize-controller-d689c6688-7ftpn", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "notification-controller-65dffcb7-9kwsx", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "source-controller-5fdb69cc66-zmdmv", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container uses an image without a digest ", - "name": "logging-ek-es-master-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "initContainer uses an image without a digest ", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -{ - "Name": "Linux Capabilities", - "Description": "Containers may only use specified Linux capabilities", - "Version": "v3.5.1", - "Parameters": { - "allowedCapabilities": [], - "requiredDropCapabilities": [ - "all" - ] - }, - "Source": "https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities", - "Docs": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", - "Related": "https://man7.org/linux/man-pages/man7/capabilities.7.html", - "TotalViolations": 42, - "Violations": [ - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "helm-controller-6c67b58f78-z68tg", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "kustomize-controller-d689c6688-7ftpn", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "notification-controller-65dffcb7-9kwsx", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "source-controller-5fdb69cc66-zmdmv", - "namespace": "flux-system" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "istio-operator-5f6cfb6d5b-zc4wq", - "namespace": "istio-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "velero-velero-8675454d6f-bmntn", - "namespace": "velero" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "elastic-operator-0", - "namespace": "eck-operator" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-kb-6fb679b5dd-fppqv", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-kube-operator-6f5759d4db-d2dbm", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-wmzcz", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-4md9s", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-kube-state-metrics-7b55c5d967-t76q4", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-pfxrs", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-prometheus-node-exporter-7c6fb", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "opa-collector-689d87d98-8qtmh", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "prometheus-monitoring-monitoring-kube-prometheus-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-fluent-bit-w6r8f", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "alertmanager-monitoring-monitoring-kube-alertmanager-0", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-fluent-bit-vbv5d", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-fluent-bit-42hth", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-fluent-bit-pxsjg", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "monitoring-monitoring-grafana-77fc445454-zkdd2", - "namespace": "monitoring" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "kiali-kiali-kiali-operator-577b74d96-8hmvh", - "namespace": "kiali" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "jaeger-jaeger-jaeger-operator-76f99ff6f4-djv67", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "twistlock-console-65c7694cb-fqvvs", - "namespace": "twistlock" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "keycloak-postgresql-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "nexus-repository-manager-8cb6f55fb-qp6pf", - "namespace": "nexus-repository-manager" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "keycloak-0", - "namespace": "keycloak" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "jaeger-855f748464-kb52h", - "namespace": "jaeger" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-es-data-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-es-data-1", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-es-master-0", - "namespace": "logging" - }, - { - "enforcementAction": "dryrun", - "kind": "Pod", - "message": "init container is not dropping all required capabilities. Container must drop all of [\"all\"]", - "name": "logging-ek-es-master-0", - "namespace": "logging" - } - ] -} -- GitLab From 3858927f0141050028cdd937545d5179d3f229eb Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 17:48:09 -0500 Subject: [PATCH 09/36] testing values --- chart/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 95fcd3e..41d2da8 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -165,8 +165,7 @@ cni: # global istiooperator values: meshConfig: {} -Values: - values: +values: global: proxy: resources: -- GitLab From 4d88523b2e70ec46c9af1984f2756014319daea5 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 17:53:27 -0500 Subject: [PATCH 10/36] testing values --- chart/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/chart/values.yaml b/chart/values.yaml index 41d2da8..7e865b9 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -166,6 +166,7 @@ cni: meshConfig: {} values: + values: global: proxy: resources: -- GitLab From a6d90fe3dde69affa0e847ddaff88cf97568ef9f Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 18:05:20 -0500 Subject: [PATCH 11/36] testing values --- chart/values.yaml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 7e865b9..8d0551d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -123,11 +123,11 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} - #sidecar.istio.io/proxyCPU: "150m" - #sidecar.istio.io/proxyCPULimit: "150m" - #sidecar.istio.io/proxyMemory: "128Mi" - #sidecar.istio.io/proxyMemoryLimit: "128Mi" + podAnnotations: + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi" # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} @@ -154,9 +154,14 @@ cni: hub: registry1.dso.mil/ironbank/opensource/istio tag: 1.10.3 # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} + podAnnotations: + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi" # k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - nodeSelector: {} + nodeSelector: + # k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} # k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ @@ -166,7 +171,6 @@ cni: meshConfig: {} values: - values: global: proxy: resources: -- GitLab From 6a435cafc529200196dc75d49bfefe6ef8e9150f Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 18:39:25 -0500 Subject: [PATCH 12/36] adjusting service --- chart/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 8d0551d..bf0ace9 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -43,10 +43,7 @@ ingressGateways: sidecar.istio.io/proxyMemory: "128Mi" sidecar.istio.io/proxyMemoryLimit: "128Mi" # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi" # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -- GitLab From c70b72e769375196d8c629edbc3eb97b5ad38f26 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 18:47:22 -0500 Subject: [PATCH 13/36] adjusting values --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index bf0ace9..0205dcf 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -42,7 +42,7 @@ ingressGateways: sidecar.istio.io/proxyCPULimit: "150m" sidecar.istio.io/proxyMemory: "128Mi" sidecar.istio.io/proxyMemoryLimit: "128Mi" # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - serviceAnnotations: + serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity -- GitLab From 42a1294d216b2c95d2af60344cb71c04dd216918 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 19:04:18 -0500 Subject: [PATCH 14/36] adjusting values --- chart/values.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 0205dcf..188ca11 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,11 +37,7 @@ ingressGateways: service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup - podAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi" # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector -- GitLab From 86f58401b7cd1d142bb237bc10cf9cf8c723db44 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 25 Aug 2021 20:38:52 -0500 Subject: [PATCH 15/36] adjusting values --- chart/values.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 188ca11..9e3c5a6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,7 +37,11 @@ ingressGateways: service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup - podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi"# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector @@ -123,7 +127,11 @@ istiod: sidecar.istio.io/proxyMemoryLimit: "128Mi" # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - serviceAnnotations: {} + serviceAnnotations: + sidecar.istio.io/proxyCPU: "150m" + sidecar.istio.io/proxyCPULimit: "150m" + sidecar.istio.io/proxyMemory: "128Mi" + sidecar.istio.io/proxyMemoryLimit: "128Mi" # k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} -- GitLab From effad962eae2a3acac1707423e90856fc118d904 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Thu, 26 Aug 2021 10:04:53 -0500 Subject: [PATCH 16/36] adjusting values.global --- chart/values.yaml | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 9e3c5a6..324fd86 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,11 +37,7 @@ ingressGateways: service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup - podAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi"# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector @@ -120,18 +116,10 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi" + podAnnotations: {} # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - serviceAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi" + serviceAnnotations: {} # k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} @@ -181,6 +169,14 @@ values: limits: cpu: 150m memory: 128Mi + proxy_init: + resources: + limits: + cpu: 150m + memory: 128Mi + requests: + cpu: 150m + memory: 128Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From bef566895b5bdb06bd368a096d896796e2f37c46 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 02:15:42 +0000 Subject: [PATCH 17/36] Update values.yaml --- chart/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 324fd86..e99a368 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -164,19 +164,19 @@ values: proxy: resources: requests: - cpu: 150m - memory: 128Mi + cpu: 2 + memory: 512Mi limits: - cpu: 150m - memory: 128Mi + cpu: 2 + memory: 512Mi proxy_init: resources: limits: - cpu: 150m - memory: 128Mi + cpu: 2 + memory: 512Mi requests: - cpu: 150m - memory: 128Mi + cpu: 2 + memory: 512Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From 7f584d37883a1aca2e224fade342d98ad77017eb Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Thu, 26 Aug 2021 21:36:04 -0500 Subject: [PATCH 18/36] adjusting values.global --- chart/templates/controlplane.yaml | 2 +- chart/values.yaml | 34 +++++++++++++++---------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/chart/templates/controlplane.yaml b/chart/templates/controlplane.yaml index 281edcd..f7cdca4 100644 --- a/chart/templates/controlplane.yaml +++ b/chart/templates/controlplane.yaml @@ -127,4 +127,4 @@ spec: - matchExpressions: - key: app.kubernetes.io/component operator: In - values: [fluentd-configcheck] + values: [fluentd-configcheck] \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 324fd86..c1f5a2a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -160,23 +160,23 @@ cni: meshConfig: {} values: - global: - proxy: - resources: - requests: - cpu: 150m - memory: 128Mi - limits: - cpu: 150m - memory: 128Mi - proxy_init: - resources: - limits: - cpu: 150m - memory: 128Mi - requests: - cpu: 150m - memory: 128Mi + global: + proxy: + resources: + requests: + cpu: "150m" + memory: "128Mi" + limits: + cpu: "150m" + memory: "128Mi" + proxy_init: + resources: + limits: + cpu: "150m" + memory: "128Mi" + requests: + cpu: "150m" + memory: "128Mi" networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From e7108dfea129a5bd75f82a3109690a4503f78e4b Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Thu, 26 Aug 2021 21:39:51 -0500 Subject: [PATCH 19/36] adjusting values.global --- chart/values.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index c1f5a2a..43542e5 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -143,13 +143,9 @@ cni: hub: registry1.dso.mil/ironbank/opensource/istio tag: 1.10.3 # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: - sidecar.istio.io/proxyCPU: "150m" - sidecar.istio.io/proxyCPULimit: "150m" - sidecar.istio.io/proxyMemory: "128Mi" - sidecar.istio.io/proxyMemoryLimit: "128Mi" + podAnnotations: {} # k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - nodeSelector: + nodeSelector: {} # k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} -- GitLab From bda052aada29933130ec88c17bcec76ef51fa93e Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 02:58:23 +0000 Subject: [PATCH 20/36] Update values.yaml --- chart/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 43542e5..46b349c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -160,19 +160,19 @@ values: proxy: resources: requests: - cpu: "150m" - memory: "128Mi" + cpu: 500m + memory: 512Mi limits: - cpu: "150m" - memory: "128Mi" + cpu: 500m + memory: 512Mi proxy_init: resources: limits: - cpu: "150m" - memory: "128Mi" + cpu: 500m + memory: 512Mi requests: - cpu: "150m" - memory: "128Mi" + cpu: 500m + memory: 512Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From aa615076601fdd9548b2c4e5633cc8c52d8a9a51 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Thu, 26 Aug 2021 22:13:25 -0500 Subject: [PATCH 21/36] adjusting values.global --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 43542e5..584698f 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -145,7 +145,7 @@ cni: # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} # k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - nodeSelector: {} + nodeSelector: [] # k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} -- GitLab From 65988ef8233e3cada7054c7be9f7a1bfe4524301 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Thu, 26 Aug 2021 22:51:26 -0500 Subject: [PATCH 22/36] adjusting values.global --- chart/values.yaml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index b6bfbdf..7164981 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -27,19 +27,18 @@ ingressGateways: extraLabels: {} # Automatic labels: 'app: {ingress gateway name}' and `istio: ingressgateway` k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec # hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80% - resources: - requests: - cpu: 1.5 - memory: 2Gi - limits: - cpu: 1.5 - memory: 2Gi + resources: {} + # requests: + # cpu: 1.5 + # memory: 2Gi + # limits: + # cpu: 1.5 + # memory: 2Gi service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - serviceAnnotations: {} - # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -- GitLab From 49a2a975044742bc426c40f60046835e1ab26572 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Thu, 26 Aug 2021 23:25:16 -0500 Subject: [PATCH 23/36] adjusting values.global --- chart/values.yaml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 7164981..137e835 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -155,23 +155,23 @@ cni: meshConfig: {} values: - global: - proxy: - resources: - requests: - cpu: 500m - memory: 512Mi - limits: - cpu: 500m - memory: 512Mi - proxy_init: - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 500m - memory: 512Mi + global: {} + # proxy: + # resources: + # requests: + # cpu: 500m + # memory: 512Mi + # limits: + # cpu: 500m + # memory: 512Mi + # proxy_init: + # resources: + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From 1a11a299e1f61299e4bad213f672035d4e2d7ef3 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 15:40:56 -0500 Subject: [PATCH 24/36] adjusting values.global --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 137e835..92d779a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -4,7 +4,7 @@ profile: default # The hub to use for the image (note: the image is built as ".Values.hub/:.Values.tag" hub: registry1.dso.mil/ironbank/opensource/istio # The tag to use for the image -tag: 1.10.3 +tag: 1.9.7 # The domain to use for the default gateway domain: bigbang.dev -- GitLab From 6a4f3d95f1bd67c1ccb44278a59a7f5d65e7a96a Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 16:49:55 -0500 Subject: [PATCH 25/36] adjusting values.global --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 92d779a..7b11623 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -4,7 +4,7 @@ profile: default # The hub to use for the image (note: the image is built as ".Values.hub/:.Values.tag" hub: registry1.dso.mil/ironbank/opensource/istio # The tag to use for the image -tag: 1.9.7 +tag: 1.9.7-bb.1 # The domain to use for the default gateway domain: bigbang.dev -- GitLab From 15ccabbbb846f428b0b4303759e57dfd14667281 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 17:04:14 -0500 Subject: [PATCH 26/36] adjusting values.global --- chart/values.yaml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 7b11623..7164981 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -4,7 +4,7 @@ profile: default # The hub to use for the image (note: the image is built as ".Values.hub/:.Values.tag" hub: registry1.dso.mil/ironbank/opensource/istio # The tag to use for the image -tag: 1.9.7-bb.1 +tag: 1.10.3 # The domain to use for the default gateway domain: bigbang.dev @@ -155,23 +155,23 @@ cni: meshConfig: {} values: - global: {} - # proxy: - # resources: - # requests: - # cpu: 500m - # memory: 512Mi - # limits: - # cpu: 500m - # memory: 512Mi - # proxy_init: - # resources: - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 500m - # memory: 512Mi + global: + proxy: + resources: + requests: + cpu: 500m + memory: 512Mi + limits: + cpu: 500m + memory: 512Mi + proxy_init: + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 500m + memory: 512Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From 6a7a6e7276c8246a98bdd62f08373bd3a9379606 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 17:36:25 -0500 Subject: [PATCH 27/36] adjusting values.global --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 7164981..fac7e51 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -144,7 +144,7 @@ cni: # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} # k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - nodeSelector: [] + nodeSelector: {} # k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} -- GitLab From 8138fdbd43eddb834ffa99dc5250b0c1bb356904 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 19:21:54 -0500 Subject: [PATCH 28/36] adjusting values.global --- chart/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index fac7e51..ff0aa7c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -27,13 +27,13 @@ ingressGateways: extraLabels: {} # Automatic labels: 'app: {ingress gateway name}' and `istio: ingressgateway` k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec # hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80% - resources: {} - # requests: - # cpu: 1.5 - # memory: 2Gi - # limits: - # cpu: 1.5 - # memory: 2Gi + resources: + requests: + cpu: 1.5 + memory: 2Gi + limits: + cpu: 1.5 + memory: 2Gi service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup -- GitLab From 974ce820d10d92fac1bdbf4aef7eb3fd3e1d1dd9 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Fri, 27 Aug 2021 19:37:47 -0500 Subject: [PATCH 29/36] adjusting values.global --- chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index ff0aa7c..f4cf947 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -29,11 +29,11 @@ ingressGateways: # hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80% resources: requests: - cpu: 1.5 - memory: 2Gi + cpu: 120m + memory: 128Mi limits: - cpu: 1.5 - memory: 2Gi + cpu: 120m + memory: 128Mi service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup -- GitLab From b67c1812ae83e42bfcc071e5d9e50ba4c2a83a87 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Sun, 29 Aug 2021 22:14:30 -0500 Subject: [PATCH 30/36] adjusting values.global --- chart/values.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index f4cf947..a45faad 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,7 +37,11 @@ ingressGateways: service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup - podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + sidecar.istio.io/proxyCPULimit: 150m + sidecar.istio.io/proxyCPU: 150m + sidecar.istio.io/proxyMemory: 256Mi + sidecar.istio.io/proxyMemoryLimit: 256Mi serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity -- GitLab From a05df6e8a0f347fd083b7230c7290547b8bc4f26 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Sun, 29 Aug 2021 23:10:22 -0500 Subject: [PATCH 31/36] adjusting values.global --- chart/values.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index a45faad..8ca2ae3 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -42,7 +42,12 @@ ingressGateways: sidecar.istio.io/proxyCPU: 150m sidecar.istio.io/proxyMemory: 256Mi sidecar.istio.io/proxyMemoryLimit: 256Mi - serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + + serviceAnnotations: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + sidecar.istio.io/proxyCPULimit: 150m + sidecar.istio.io/proxyCPU: 150m + sidecar.istio.io/proxyMemory: 256Mi + sidecar.istio.io/proxyMemoryLimit: 256Mi nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ @@ -119,7 +124,11 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} + podAnnotations: + sidecar.istio.io/proxyCPULimit: 150m + sidecar.istio.io/proxyCPU: 150m + sidecar.istio.io/proxyMemory: 256Mi + sidecar.istio.io/proxyMemoryLimit: 256Mi # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} -- GitLab From 1b5a62086cfddba29303e3f970102bdb40789ee6 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Sun, 29 Aug 2021 23:44:24 -0500 Subject: [PATCH 32/36] adjusting values.global --- chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 8ca2ae3..b85d4c6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -125,10 +125,10 @@ istiod: strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: - sidecar.istio.io/proxyCPULimit: 150m - sidecar.istio.io/proxyCPU: 150m - sidecar.istio.io/proxyMemory: 256Mi - sidecar.istio.io/proxyMemoryLimit: 256Mi + sidecar.istio.io/proxyCPULimit: 300m + sidecar.istio.io/proxyCPU: 300m + sidecar.istio.io/proxyMemory: 512Mi + sidecar.istio.io/proxyMemoryLimit: 512Mi # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} -- GitLab From e2647ca9150069678b76cc3ca90b60515bcd66e9 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Mon, 30 Aug 2021 14:33:44 -0500 Subject: [PATCH 33/36] adjusting values.global --- chart/values.yaml | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index b85d4c6..7ab6b72 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -27,27 +27,12 @@ ingressGateways: extraLabels: {} # Automatic labels: 'app: {ingress gateway name}' and `istio: ingressgateway` k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec # hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80% - resources: - requests: - cpu: 120m - memory: 128Mi - limits: - cpu: 120m - memory: 128Mi + resources: {} service: type: "LoadBalancer" # or "NodePort" # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup - podAnnotations: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - sidecar.istio.io/proxyCPULimit: 150m - sidecar.istio.io/proxyCPU: 150m - sidecar.istio.io/proxyMemory: 256Mi - sidecar.istio.io/proxyMemoryLimit: 256Mi - - serviceAnnotations: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - sidecar.istio.io/proxyCPULimit: 150m - sidecar.istio.io/proxyCPU: 150m - sidecar.istio.io/proxyMemory: 256Mi - sidecar.istio.io/proxyMemoryLimit: 256Mi + podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ @@ -124,11 +109,7 @@ istiod: targetAverageUtilization: 60 strategy: {} # k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: - sidecar.istio.io/proxyCPULimit: 300m - sidecar.istio.io/proxyCPU: 300m - sidecar.istio.io/proxyMemory: 512Mi - sidecar.istio.io/proxyMemoryLimit: 512Mi + podAnnotations: {} # k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ serviceAnnotations: {} -- GitLab From 1764596fd63cb7c78bb04be0da7c114d7e773085 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Mon, 30 Aug 2021 15:48:00 -0500 Subject: [PATCH 34/36] adding new value --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index ecf3ed6..174a0ad 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: istio -version: 1.10.3-bb.0 +version: 1.10.3-bb.1 -- GitLab From 45c6bfd4b1a230f2a7ce2f8ddb394ad2628ab041 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 1 Sep 2021 17:44:36 -0500 Subject: [PATCH 35/36] #77 Adding Values from MM suggestions --- chart/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 7ab6b72..6ce0b1a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -153,19 +153,19 @@ values: proxy: resources: requests: - cpu: 500m - memory: 512Mi + cpu: 100m + memory: 256Mi limits: - cpu: 500m - memory: 512Mi + cpu: 100m + memory: 256Mi proxy_init: resources: limits: - cpu: 500m - memory: 512Mi + cpu: 100m + memory: 256Mi requests: - cpu: 500m - memory: 512Mi + cpu: 100m + memory: 256Mi networkPolicies: enabled: false # See `kubectl cluster-info` and then resolve to IP -- GitLab From ce501babd0683cb954cb60d1b403d53d47e985b5 Mon Sep 17 00:00:00 2001 From: Ronnie Webb Date: Wed, 1 Sep 2021 17:54:47 -0500 Subject: [PATCH 36/36] #77 Adding Values from MM suggestions and Changelog --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7099c7a..4d76aad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,50 +2,77 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.10.3-bb.1] + +### Changed + +- Update Istio proxy and proxy init pods to be in compliance with opa gatekeeper. + ## [1.10.3-bb.0] + ### Changed + - Update to Istio 1.10.3 ## [1.9.7-bb.1] + ### Added + - Default configuration to hold application start until istio proxy is ready ## [1.9.7-bb.0] + ### Changed + - Update to Istio 1.9.7 ## [1.8.4-bb.6] + ### Changed + - **BREAKING** `ingressGateway` deprecated in favor of creating `ingressGateways` in a uniform manner - **BREAKING** `gateway` deprecated in favor of creating `gateways` in a uniform manner ## [1.8.4-bb.5] + ### Fixed + - Kube API egress allowed for all pods, not just istiod ## [1.8.4-bb.4] + ### Added + - Kube API egress networkpolicy ## [1.8.4-bb.3] + ### Added + - Added network policies for istio ## [1.8.4-bb.2] + ### Fixed + - fixed bug with indentation when providing resources to istio ingressgateways ## [1.8.4-bb.1] + ### Fixed + - updated dsop.io registry hostname to dso.mil ## [1.7.3-bb.1] + ### Added + - Top level "sso" values designation. This will enable an haproxy package installation in the desired namespace (sso.namespace: istio-addons-sso) that in conjunction with authservice package will place an SSO gate in front of Kiali+Jaeger UIs. - Top level "ingress" values designation. This will control configuration for the virtualservices created. Leave empty with sso.enabled = false to have the virtualservices go straight to the kiali/jaeger UIs. Leave empty with sso.enabled = true to place the haproxy+authservice injection in front of kiali/tracing. Fill in with your own service/port if customizing the installation/services. - New Jaeger+Kiali VirtualServices pointing to the haproxy installation will be installed when "sso.enabled: true" - sso.selector variable sets the label that will be applied to the authservice EnvoyFilter placing the SSO page in front of the regular UIs. Must match the selector for "authservice.selector.key/value". ### Changed + - Jaeger+Kiali VirtualServices pointing directly to the UIs will be skipped when "sso.enabled: true" - Jaeger+Kiali VirtualServices pull in their configs from the "ingress" designation so VirtualServices can be customized. -- GitLab