search

djkormo / adcs-issuer

BSD 3-Clause "New" or "Revised" License
16 stars 8 forks source link

Hardening deployment of adcs simulator #61

Closed djkormo closed 3 months ago

djkormo commented 4 months ago

TODO Hardening deployment of adcs simulator

Starting point

Grade: D Score: 65%

polaris audit --color --format pretty --only-show-failed-tests
Deployment adcs-sim-deployment in namespace adcs-issuer
    metadataAndInstanceMismatched        😬 Warning
        Reliability - Label app.kubernetes.io/instance must match metadata.name
    missingPodDisruptionBudget           😬 Warning
        Reliability - Should have a PodDisruptionBudget
    deploymentMissingReplicas            😬 Warning
        Reliability - Only one replica is scheduled
    automountServiceAccountToken         😬 Warning
        Security - The ServiceAccount will be automounted
    missingNetworkPolicy                 😬 Warning
        Security - A NetworkPolicy should match pod labels and contain applied egress and ingress rules
    priorityClassNotSet                  😬 Warning
        Reliability - Priority class should be set
    topologySpreadConstraint             😬 Warning
        Reliability - Pod should be configured with a valid topology spread constraint
  Container manager
    runAsRootAllowed                     ❌ Danger
        Security - Should not be allowed to run as root
    linuxHardening                       😬 Warning
        Security - Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
    notReadOnlyRootFilesystem            😬 Warning
        Security - Filesystem should be read only
    privilegeEscalationAllowed           ❌ Danger
        Security - Privilege escalation should not be allowed
    insecureCapabilities                 😬 Warning
        Security - Container should not have insecure capabilities
    livenessProbeMissing                 😬 Warning
        Reliability - Liveness probe should be configured
    readinessProbeMissing                😬 Warning
        Reliability - Readiness probe should be configured

ConfigMap adcs-sim-configmap in namespace adcs-issuer
    sensitiveConfigmapContent            ❌ Danger
        Security - Potentially sensitive content is detected in the ConfigMap keys or values
djkormo commented 4 months ago

PR created https://github.com/djkormo/adcs-issuer/pull/62