kyverno findings

[fty4]

This issue was created to track all open kyverno findings with the current Helm chart.

For each distinct finding I've already created a PR or issue. Some of them might already be merged but not yet released.

findings

1 - certs daps

• [ ] solved

finding message

```bash policy require-run-as-nonroot -> resource default/Job/chart-certsconsumer-cert-transfer-daps failed: 1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/containers/0/securityContext/ policy require-run-as-nonroot -> resource default/Job/chart-certsprovider-cert-transfer-daps failed: 1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/containers/0/securityContext/ ```

Resolved via https://github.com/eclipse-tractusx/e2e-testing/pull/30

2 - psql

• [ ] solved

finding message

```bash policy require-run-as-nonroot -> resource poc-argocd/StatefulSet/chart-consumer-postgresql failed: 1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/initContainers/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/ policy require-run-as-nonroot -> resource poc-argocd/StatefulSet/chart-provider-postgresql failed: 1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/initContainers/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/ ```

Resolved via https://github.com/eclipse-tractusx/tractusx-edc/issues/677

3 - tx edc non-root

• [ ] solved - merged but not yet released

finding message

```bash policy require-run-as-nonroot -> resource default/Pod/chart-edcconsumertest-controlplane-readiness failed: 1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/ policy require-run-as-nonroot -> resource default/Pod/chart-edcconsumertest-dataplane-readiness failed: 1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/ policy require-run-as-nonroot -> resource default/Pod/chart-edcprovidertest-controlplane-readiness failed: 1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/ policy require-run-as-nonroot -> resource default/Pod/chart-edcprovidertest-dataplane-readiness failed: 1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/ ```

Resolved via https://github.com/eclipse-tractusx/tractusx-edc/pull/637

4 - vault non-root (test)

• [ ] solved

finding message

```bash policy require-run-as-nonroot -> resource poc-argocd/Pod/chart-server-test failed: 1. run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/ rule run-as-non-root[1] failed at path /spec/containers/0/securityContext/ ```

Require Helm chart update from 0.20.0 to 0.25.0 Resolved via https://github.com/hashicorp/vault-helm/pull/930

5 - description

• [ ] solved

finding message

```bash policy require-run-as-nonroot -> resource default/Deployment/chart-daps failed: 1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/0/securityContext/ ```

Resolved via https://github.com/eclipse-tractusx/tractusx-edc/pull/679

Additional information

These findings where detected on commit 43465007a94774c66bc56a599012d62bf43c4e85 after the kyverno wf was introduced. By now or when e.g. v0.5.0 of the edc chart (without legacy) will be implemented the findings will change.

[almadigabor]

Applying the Kyverno policies via workflow has been put on hold as it is not in the focus now and products should fix these issues in their own chart before implementing them as a dependency here. I'm closing this one and will create a new issue once it gets more relevance.