[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] ~CKV_K8S_15 "Image Pull Policy should be Always~
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
csi-lvm-controller
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_23 "Minimize the admission of root containers"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
[ ] ~CKV_K8S_40 "Containers should run as a high UID to avoid host conflict"~
droptailer
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
metallb-system-controller
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
CKV_K8S_15 is kept as it is because we always have semver versioning for images in place without the ability to override a already pushed image.
CKV_K8S_40 is not changed because we do not write from our containers.
Gardener components
These needs to be fixed at gardener
blackbox-exporter
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
calico-node-vertical-autoscaler
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
coredns
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
metrics-server
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_38 "Ensure that Service Account Tokens are only mounted where necessary"
vpn-shoot
[ ] CKV_K8S_28 "Minimize the admission of containers with the NET_RAW capability"
[ ] CKV_K8S_23 "Minimize the admission of root containers"
[ ] CKV_K8S_20 "Containers should not run with allowPrivilegeEscalation"
[ ] CKV_K8S_25 "Minimize the admission of containers with added capability"
[ ] ~CKV_K8S_40 "Containers should run as a high UID to avoid host conflict"~
Reduce capabilities of our containers found by https://github.com/bridgecrewio/checkov:
audittailer:
csi-lvm-controller
droptailer
metallb-system-controller
CKV_K8S_15 is kept as it is because we always have semver versioning for images in place without the ability to override a already pushed image. CKV_K8S_40 is not changed because we do not write from our containers.
Gardener components
These needs to be fixed at gardener
blackbox-exporter
calico-node-vertical-autoscaler
coredns
metrics-server
vpn-shoot