[datagov-brokerpak-eks] 2048.yml vulnerabilities

[nickumia-reisys]

Date of report: 12/06/2022
Severity: Moderate and Low (not active in production)

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

• Container is running without root user control (Moderate)
  • Detailed paths
    • Path: terraform/modules/provision-aws/2048_fixture.yml
    • Introduced through: [DocId: 0] › input › spec › template › spec › containers[app-2048] › securityContext › runAsNonRoot
  • This issue is...
    • Container is running without root user control
  • The impact of this is...
    • Container could be running with full administrative privileges
  • You can resolve it by...
    • Set securityContext.runAsNonRoot to true
• Container does not drop all default capabilities (Moderate)
  • Detailed paths
    • Introduced through: [DocId: 0] › input › spec › template › spec › containers[app-2048] › securityContext › capabilities › drop
  • This issue is...
    • All default capabilities are not explicitly dropped
  • The impact of this is...
    • Containers are running with potentially unnecessary privileges
  • You can resolve it by...
    • Add ALL to securityContext.capabilities.drop list, and add only required capabilities in securityContext.capabilities.add
• Container is running without liveness probe (Low)
  • Detailed paths
    • Introduced through: [DocId: 0] › spec › template › spec › containers[app-2048] › livenessProbe
  • This issue is...
    • Liveness probe is not defined
  • The impact of this is...
    • Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
  • You can resolve it by...
    • Add livenessProbe attribute
• Container is running with writable root filesystem (Low)
  • Detailed paths
    • Introduced through: [DocId: 0] › input › spec › template › spec › containers[app-2048] › securityContext › readOnlyRootFilesystem
    • This issue is...
      • readOnlyRootFilesystem attribute is not set to true
    • The impact of this is...
      • Compromised process could abuse writable root filesystem to elevate privileges
    • You can resolve it by...
      • Set securityContext.readOnlyRootFilesystemtotrue`
• Container has no CPU limit (Low)
  • Detailed paths
    • Introduced through: [DocId: 0] › input › spec › template › spec › containers[app-2048] › resources › limits › cpu
  • This issue is...
    • Container has no CPU limit
  • The impact of this is...
    • CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
  • You can resolve it by...
    • Add resources.limits.cpu field with required CPU limit value
• Container is running without memory limit (Low)
  • Detailed paths
  • Introduced through: [DocId: 0] › input › spec › template › spec › containers[app-2048] › resources › limits › memory
  • This issue is...
    • Memory limit is not defined
  • The impact of this is...
    • Containers without memory limits are more likely to be terminated when the node runs out of memory
  • You can resolve it by...
    • Set resources.limits.memory value

[nickumia-reisys]

This is important to complete, but does not affect anything in production (even when fixed).

[nickumia-reisys]

Re-issued in eks-brokerpak repo

• 2048.yml vulnerabilities GSA-TTS/datagov-brokerpak-eks#106