Comments (5)
Thank you for reporting this.
@YiscahLevySilas1 can you please take a look?
from kubescape.
Hi @jankoh ,
AFAIU, the runAsNonRoot
field affects the UID but not the GID, so even if runAsNonRoot
is true it would still be best practice to define runAsGroup
explicitly. From the k8s documentation:
runAsNonRoot (boolean): Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
I agree that our remediation does not reflect that, wdyt about the following suggestion?
Remediation
If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.
from kubescape.
@YiscahLevySilas1 I think that change whould make it clear what needs to be done to prevent the finding. Thank you! 😃
from kubescape.
Great - thanks for reporting, I'll update the remediation
from kubescape.
Resolved in regolibrary PR #585
from kubescape.
Related Issues (20)
- Kustomize directory analysis not working HOT 3
- Error `exectuateYq err: no matches found` when rendering Helm chart HOT 7
- Increase in CPU usage scanning helm repositories HOT 2
- Does kubescape have arm architecture image? HOT 2
- PolicyReport CRDs support HOT 1
- Evaluating C-0037 seems to report false positives as well as false negatives HOT 1
- Cannot exclude particular rules from Control HOT 3
- Define labels to copy from workloads to reports HOT 6
- Add control references in the PDF output HOT 2
- sha256 not being published since v3.0.3 HOT 5
- Advanced Kubescape plugin features for VSCode HOT 11
- Add Backstage plugin HOT 2
- Report the use of components with vulnerabilities in kubescape HOT 2
- Support excluding some containers of pods from privileged check HOT 2
- GitHub copilot extension for Kubescape HOT 2
- Update documentation and usages to remove libgit usage HOT 5
- Kubescrape external providers HOT 1
- Synchronizer is failing with resource not found error HOT 8
- Severity is missing in JSON format when the scan is performed using a framework. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubescape.