| Project | manifests/install.yaml | 
|---|---|
| Path | /argo-cd/manifests/install.yaml | 
| Project Type | Kubernetes | 
Role or ClusterRole with dangerous permissions
Impact
Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.
Remediation
Consider removing these permissions
Role or ClusterRole with dangerous permissions
Impact
Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.
Remediation
Consider removing these permissions
Role or ClusterRole with dangerous permissions
Impact
Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.
Remediation
Consider removing these permissions
Role or ClusterRole with dangerous permissions
Impact
Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.
Remediation
Consider removing these permissions
Role or ClusterRole with dangerous permissions
Impact
Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.
Remediation
Consider removing these permissions
Role or ClusterRole with dangerous permissions
Impact
Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.
Remediation
Consider removing these permissions
Container could be running with outdated image
Impact
The container may run with outdated or unauthorized image
Remediation
Set `imagePullPolicy` attribute to `Always`
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container has no CPU limit
Impact
CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.
Remediation
Add `resources.limits.cpu` field with required CPU limit value
Container is running with multiple open ports
Impact
Increases the attack surface of the application and the container.
Remediation
Reduce `ports` count to 2
Container is running with writable root filesystem
Impact
Compromised process could abuse writable root filesystem to elevate privileges
Remediation
Set `spec.{containers, initContainers}.securityContext.readOnlyRootFilesystem` to `true`
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without liveness probe
Impact
Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods
Remediation
Add `livenessProbe` attribute
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container is running without memory limit
Impact
Containers without memory limits are more likely to be terminated when the node runs out of memory
Remediation
Set `resources.limits.memory` value
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence
Container's or Pod's UID could clash with host's UID
Impact
UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass
Remediation
Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence