-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: default
ADDITIONAL INFORMATION
$ wget ${KUBE_AUDIT_DOWNLOAD_URL} && tar -zxf kubeaudit_*.tar.gz kubeaudit && chown root:root kubeaudit
Connecting to github.com (140.82.121.3:443)
Connecting to objects.githubusercontent.com (185.[19](https://gitlab.com/9#L19)9.108.133:443)
saving to 'kubeaudit_0.19.0_linux_amd64.tar.gz'
kubeaudit_0.19.0_lin 100% |********************************| 9526k 0:00:00 ETA
'kubeaudit_0.19.0_linux_amd64.tar.gz' saved
$ tar_name=$(ls kubeaudit_*.tar.gz) && echo "${CHECKSUM} $tar_name" | sha256sum -c
kubeaudit_0.19.0_linux_amd64.tar.gz: OK
$ ./kubeaudit all
" level=info msg="Running inside cluster, using the cluster config"
---------------- Results for ---------------
apiVersion: v1
kind: Pod
metadata:
name: runner-uxmmvxa-project-concurrent-0hpjxm
namespace: tools
--------------------------------------------
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/build' should be added.
Metadata:
Container: build
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/build
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/helper' should be added.
Metadata:
Container: helper
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/helper
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/init-permissions' should be added.
Metadata:
Container: init-permissions
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/init-permissions
-- [error] CapabilityShouldDropAll
Message: Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label.
Metadata:
Container: build
-- [error] CapabilityShouldDropAll
Message: Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label.
Metadata:
Container: helper
-- [error] CapabilityOrSecurityContextMissing
Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
Metadata:
Container: init-permissions
-- [warning] LimitsNotSet
Message: Resource limits not set.
Metadata:
Container: build
-- [warning] LimitsNotSet
Message: Resource limits not set.
Metadata:
Container: helper
-- [warning] LimitsNotSet
Message: Resource limits not set.
Metadata:
Container: init-permissions
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
Metadata:
Container: build
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
Metadata:
Container: helper
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
Metadata:
Container: init-permissions
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: build
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: helper
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: init-permissions
-- [error] PrivilegedTrue
Message: privileged is set to 'true' in container SecurityContext. It should be set to 'false'.
Metadata:
Container: build
-- [error] PrivilegedTrue
Message: privileged is set to 'true' in container SecurityContext. It should be set to 'false'.
Metadata:
Container: helper
-- [warning] PrivilegedNil
Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
Metadata:
Container: init-permissions
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: build
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: helper
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: init-permissions
-- [error] SeccompAnnotationMissing
Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
Metadata:
MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod
---------------- Results for ---------------
apiVersion: v1
kind: Pod
metadata:
name: runner-uxmmvxa-project
namespace: tools
--------------------------------------------
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/build' should be added.
Metadata:
Container: build
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/build
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/helper' should be added.
Metadata:
Container: helper
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/helper
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/init-permissions' should be added.
Metadata:
Container: init-permissions
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/init-permissions
-- [error] CapabilityShouldDropAll
Message: Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label.
Metadata:
Container: build
-- [error] CapabilityShouldDropAll
Message: Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label.
Metadata:
Container: helper
-- [error] CapabilityOrSecurityContextMissing
Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
Metadata:
Container: init-permissions
-- [warning] LimitsNotSet
Message: Resource limits not set.
Metadata:
Container: build
-- [warning] LimitsNotSet
Message: Resource limits not set.
Metadata:
Container: helper
-- [warning] LimitsNotSet
Message: Resource limits not set.
Metadata:
Container: init-permissions
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
Metadata:
Container: build
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
Metadata:
Container: helper
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
Metadata:
Container: init-permissions
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: build
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: helper
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: init-permissions
-- [error] PrivilegedTrue
Message: privileged is set to 'true' in container SecurityContext. It should be set to 'false'.
Metadata:
Container: build
-- [error] PrivilegedTrue
Message: privileged is set to 'true' in container SecurityContext. It should be set to 'false'.
Metadata:
Container: helper
-- [warning] PrivilegedNil
Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
Metadata:
Container: init-permissions
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: build
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: helper
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: init-permissions
-- [error] SeccompAnnotationMissing
Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
Metadata:
MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: cert-manager
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: default
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: default
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: develop
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: develop
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: keycloak
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: keycloak
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: kube-node-lease
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: kube-node-lease
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: kube-public
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: kube-public
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: kube-system
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: kube-system
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: monitoring
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: prod
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: prod
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: staging
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: staging
---------------- Results for ---------------
apiVersion: v1
kind: Namespace
metadata:
name: tools
--------------------------------------------
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy
Message: Namespace is missing a default deny ingress and egress NetworkPolicy.
Metadata:
Namespace: tools
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: command terminated with exit code 1
ISSUE TYPE
Bug Report
BUG REPORT
SUMMARY
Just see at the end my script running in gitlab-runner inside the cluster
ENVIRONMENT
https://github.com/Shopify/kubeaudit/releases/download/v0.19.0/kubeaudit_0.19.0_linux_amd64.tar.gz K8S: 1.24
STEPS TO REPRODUCE
I have for sure an application pod running as root, privileged and non read-only filesystem.
When I run kubeaudit inside a gitlab-runner the cluster recognizes only the runner pod itself, but not the app pod.
inside app container:
EXPECTED RESULTS
I thought it would scan all running pods for vulnerabilities
ACTUAL RESULTS
The output only shows missing namespace NetworkPolicies and the runner pod itself as failed.
---------------- Results for --------------- apiVersion: v1 kind: Namespace metadata: name: default
-- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy Message: Namespace is missing a default deny ingress and egress NetworkPolicy. Metadata: Namespace: default
ADDITIONAL INFORMATION