digitalocean / k8s-staticroute-operator

Create static routes for your k8s nodes using CRDs.
Apache License 2.0
55 stars 11 forks source link

Initial work #2

Closed v-ctiutiu closed 2 years ago

v-ctiutiu commented 2 years ago

Overview

Changes made in this PR:

guardrails[bot] commented 2 years ago

:warning: We detected 3 security issues in this pull request:

Insecure Configuration (1)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/kubernetes/insecure_configuration.html?utm_source=ghpr#) | Title: **hostNetwork is exposed**, Severity: Medium
https://github.com/digitalocean/k8s-staticroute-operator/blob/7408a886710c36392bd5346b38158c19850a40b9/operator/operator-daemonset.yaml#L15 More info on how to fix Insecure Configuration in [Kubernetes](https://docs.guardrails.io/docs/en/vulnerabilities/kubernetes/insecure_configuration.html?utm_source=ghpr#). ---
Insecure Access Control (2)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/kubernetes/insecure_access_control.html?utm_source=ghpr#) | Title: **DROP All Capabilities**, Severity: Low
File: [operator/operator-daemonset.yaml](https://github.com/digitalocean/k8s-staticroute-operator/blob/7408a886710c36392bd5346b38158c19850a40b9/operator/operator-daemonset.yaml) [:bulb:](https://docs.guardrails.io/docs/vulnerabilities/kubernetes/insecure_access_control?utm_source=ghpr#containers-with-added-capabilities) | Title: **Containers With Added Capabilities**, Severity: Medium
https://github.com/digitalocean/k8s-staticroute-operator/blob/7408a886710c36392bd5346b38158c19850a40b9/operator/operator-daemonset.yaml#L26 More info on how to fix Insecure Access Control in [Kubernetes](https://docs.guardrails.io/docs/en/vulnerabilities/kubernetes/insecure_access_control.html?utm_source=ghpr#).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

bikram20 commented 2 years ago

@v-ctiutiu Nice work! Does the operator need hostNetwork: true?

v-ctiutiu commented 2 years ago

@v-ctiutiu Nice work! Does the operator need hostNetwork: true?

Yes, it doesn't work without that setting. The reason is that it needs access to host network to alter static routes. The operator runs in a Docker container after all, hence it runs in an isolated network from the main host.

Hope it makes sense. Thanks.

bikram20 commented 2 years ago

Got it. Thanks.