Added securityContext values #9
helm-chart-release-on-tag.yaml
on: push
scan
/
Kics Helm Chart Scan
26s
release_helm
/
release
50s
Annotations
11 warnings
[MEDIUM] CPU Limits Not Set:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L105
CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
|
[MEDIUM] CPU Requests Not Set:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L105
CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
|
[MEDIUM] Container Running As Root:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L105
Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise
|
[MEDIUM] Container Running With Low UID:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L106
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
[MEDIUM] Memory Limits Not Defined:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L105
Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
|
[MEDIUM] Memory Requests Not Defined:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L105
Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes
|
[MEDIUM] Permissive Access to Create Pods:
charts/dbp-moodle/templates/roles/moodle-cronjob-role.yaml#L5
The permission to create pods in a cluster should be restricted because it allows privilege escalation.
|
[MEDIUM] RBAC Roles with Exec Permission:
charts/dbp-moodle/templates/roles/moodle-cronjob-role.yaml#L5
Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments
|
[MEDIUM] Seccomp Profile Is Not Configured:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L106
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
|
[MEDIUM] Service Account Token Automount Not Disabled:
charts/dbp-moodle/charts/moodlecronjob/templates/cronjob.yml#L93
Service Account Tokens are automatically mounted even if not necessary
|
release_helm / release
The following actions use a deprecated Node.js version and will be forced to run on node20: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|