diff --git a/charts/dependency/mariadb/CHANGELOG.md b/charts/dependency/mariadb/CHANGELOG.md
index 7ad5aea2efe..70b2d77e6e0 100644
--- a/charts/dependency/mariadb/CHANGELOG.md
+++ b/charts/dependency/mariadb/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [mariadb-3.0.10](https://github.com/truecharts/apps/compare/mariadb-3.0.9...mariadb-3.0.10) (2022-06-17)
+
+#### Chore
+
+* update helm chart common to v10.0.13
+
+
+
### [mariadb-3.0.9](https://github.com/truecharts/apps/compare/mariadb-3.0.8...mariadb-3.0.9) (2022-06-17)
diff --git a/charts/dependency/mariadb/README.md b/charts/dependency/mariadb/README.md
index 15fc96095de..5ef182a5760 100644
--- a/charts/dependency/mariadb/README.md
+++ b/charts/dependency/mariadb/README.md
@@ -19,7 +19,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version |
|------------|------|---------|
-| https://library-charts.truecharts.org | common | 10.0.12 |
+| https://library-charts.truecharts.org | common | 10.0.13 |
## Installing the Chart
diff --git a/charts/dependency/mariadb/security.md b/charts/dependency/mariadb/security.md
index 527433b74ac..8d4d0d1ba7d 100644
--- a/charts/dependency/mariadb/security.md
+++ b/charts/dependency/mariadb/security.md
@@ -17,18 +17,23 @@ hide:
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
-| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
StatefulSet 'RELEASE-NAME-mariadb' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mariadb' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mariadb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV105 | Containers must not set runAsUser to 0 | LOW | Expand...
Containers should be forbidden from running with a root UID.
securityContext.runAsUser should be set to a value greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
## Containers
@@ -175,3 +180,9 @@ hide:
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| github.com/opencontainers/runc | CVE-2021-43784 | MEDIUM | v1.0.1 | v1.0.3 | Expand...
https://access.redhat.com/security/cve/CVE-2021-43784
https://bugs.chromium.org/p/project-zero/issues/detail?id=2241
https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html
https://nvd.nist.gov/vuln/detail/CVE-2021-43784
|
| github.com/opencontainers/runc | CVE-2022-24769 | MEDIUM | v1.0.1 | v1.1.2 | Expand...
http://www.openwall.com/lists/oss-security/2022/05/12/1
https://access.redhat.com/security/cve/CVE-2022-24769
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24769
https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f
https://github.com/moby/moby/releases/tag/v20.10.14
https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/
https://nvd.nist.gov/vuln/detail/CVE-2022-24769
https://www.debian.org/security/2022/dsa-5162
|
+
+**gobinary**
+
+
+| No Vulnerabilities found |
+|:---------------------------------|
diff --git a/charts/dependency/memcached/CHANGELOG.md b/charts/dependency/memcached/CHANGELOG.md
index f054b1a60dd..e534b872779 100644
--- a/charts/dependency/memcached/CHANGELOG.md
+++ b/charts/dependency/memcached/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [memcached-3.0.10](https://github.com/truecharts/apps/compare/memcached-3.0.9...memcached-3.0.10) (2022-06-17)
+
+#### Chore
+
+* update helm chart common to v10.0.13
+
+
+
### [memcached-3.0.9](https://github.com/truecharts/apps/compare/memcached-3.0.8...memcached-3.0.9) (2022-06-17)
diff --git a/charts/dependency/memcached/README.md b/charts/dependency/memcached/README.md
index 6eabb42a891..4e507ed5b86 100644
--- a/charts/dependency/memcached/README.md
+++ b/charts/dependency/memcached/README.md
@@ -18,7 +18,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version |
|------------|------|---------|
-| https://library-charts.truecharts.org | common | 10.0.12 |
+| https://library-charts.truecharts.org | common | 10.0.13 |
## Installing the Chart
diff --git a/charts/dependency/memcached/security.md b/charts/dependency/memcached/security.md
index 71cda00a703..ecf17a9397c 100644
--- a/charts/dependency/memcached/security.md
+++ b/charts/dependency/memcached/security.md
@@ -17,17 +17,22 @@ hide:
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
-| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
Deployment 'RELEASE-NAME-memcached' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-memcached' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-memcached' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV105 | Containers must not set runAsUser to 0 | LOW | Expand...
Containers should be forbidden from running with a root UID.
securityContext.runAsUser should be set to a value greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
## Containers
diff --git a/charts/dependency/mongodb/CHANGELOG.md b/charts/dependency/mongodb/CHANGELOG.md
index 1b99864519f..c3cbd3f89d7 100644
--- a/charts/dependency/mongodb/CHANGELOG.md
+++ b/charts/dependency/mongodb/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [mongodb-1.0.11](https://github.com/truecharts/apps/compare/mongodb-1.0.10...mongodb-1.0.11) (2022-06-17)
+
+#### Chore
+
+* update helm chart common to v10.0.13
+
+
+
### [mongodb-1.0.10](https://github.com/truecharts/apps/compare/mongodb-1.0.9...mongodb-1.0.10) (2022-06-17)
diff --git a/charts/dependency/mongodb/README.md b/charts/dependency/mongodb/README.md
index c3c145c9824..40dd5141c9a 100644
--- a/charts/dependency/mongodb/README.md
+++ b/charts/dependency/mongodb/README.md
@@ -19,7 +19,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version |
|------------|------|---------|
-| https://library-charts.truecharts.org | common | 10.0.12 |
+| https://library-charts.truecharts.org | common | 10.0.13 |
## Installing the Chart
diff --git a/charts/dependency/mongodb/security.md b/charts/dependency/mongodb/security.md
index d7a8b57ac1e..aa20aa3eb6f 100644
--- a/charts/dependency/mongodb/security.md
+++ b/charts/dependency/mongodb/security.md
@@ -17,18 +17,23 @@ hide:
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
-| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
StatefulSet 'RELEASE-NAME-mongodb' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-mongodb' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-mongodb' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV105 | Containers must not set runAsUser to 0 | LOW | Expand...
Containers should be forbidden from running with a root UID.
securityContext.runAsUser should be set to a value greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
## Containers
@@ -247,6 +252,30 @@ hide:
**gobinary**
+| No Vulnerabilities found |
+|:---------------------------------|
+
+
+
+**gobinary**
+
+
+| No Vulnerabilities found |
+|:---------------------------------|
+
+
+
+**gobinary**
+
+
+| No Vulnerabilities found |
+|:---------------------------------|
+
+
+
+**gobinary**
+
+
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.5 | 0.3.7 | Expand...
https://go.dev/cl/340830
https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
https://pkg.go.dev/vuln/GO-2021-0113
|
diff --git a/charts/dependency/postgresql/CHANGELOG.md b/charts/dependency/postgresql/CHANGELOG.md
index f00330a7d0d..335755a8d92 100644
--- a/charts/dependency/postgresql/CHANGELOG.md
+++ b/charts/dependency/postgresql/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [postgresql-8.0.10](https://github.com/truecharts/apps/compare/postgresql-8.0.9...postgresql-8.0.10) (2022-06-17)
+
+#### Chore
+
+* update helm chart common to v10.0.13
+
+
+
### [postgresql-8.0.9](https://github.com/truecharts/apps/compare/postgresql-8.0.8...postgresql-8.0.9) (2022-06-17)
diff --git a/charts/dependency/postgresql/README.md b/charts/dependency/postgresql/README.md
index f853e97c7a2..c337bf7410e 100644
--- a/charts/dependency/postgresql/README.md
+++ b/charts/dependency/postgresql/README.md
@@ -17,7 +17,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version |
|------------|------|---------|
-| https://library-charts.truecharts.org | common | 10.0.12 |
+| https://library-charts.truecharts.org | common | 10.0.13 |
## Installing the Chart
diff --git a/charts/dependency/postgresql/security.md b/charts/dependency/postgresql/security.md
index 853cb98415d..a3b5f406bd3 100644
--- a/charts/dependency/postgresql/security.md
+++ b/charts/dependency/postgresql/security.md
@@ -17,18 +17,23 @@ hide:
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
-| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
StatefulSet 'RELEASE-NAME-postgresql' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-postgresql' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-postgresql' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV105 | Containers must not set runAsUser to 0 | LOW | Expand...
Containers should be forbidden from running with a root UID.
securityContext.runAsUser should be set to a value greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
## Containers
diff --git a/charts/dependency/promtail/CHANGELOG.md b/charts/dependency/promtail/CHANGELOG.md
index 597a35b79c1..91ee111f499 100644
--- a/charts/dependency/promtail/CHANGELOG.md
+++ b/charts/dependency/promtail/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [promtail-3.0.7](https://github.com/truecharts/apps/compare/promtail-3.0.6...promtail-3.0.7) (2022-06-17)
+
+#### Chore
+
+* update helm chart common to v10.0.13
+
+
+
### [promtail-3.0.6](https://github.com/truecharts/apps/compare/promtail-3.0.5...promtail-3.0.6) (2022-06-17)
diff --git a/charts/dependency/promtail/README.md b/charts/dependency/promtail/README.md
index be8e9c8d721..a64e03b43c1 100644
--- a/charts/dependency/promtail/README.md
+++ b/charts/dependency/promtail/README.md
@@ -19,7 +19,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version |
|------------|------|---------|
-| https://library-charts.truecharts.org | common | 10.0.12 |
+| https://library-charts.truecharts.org | common | 10.0.13 |
## Installing the Chart
diff --git a/charts/dependency/promtail/security.md b/charts/dependency/promtail/security.md
index 883e7b26848..bc0c33e28d4 100644
--- a/charts/dependency/promtail/security.md
+++ b/charts/dependency/promtail/security.md
@@ -17,18 +17,7 @@ hide:
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
-| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'RELEASE-NAME-promtail' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-promtail' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-promtail' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-promtail' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV023 | hostPath volumes mounted | MEDIUM | Expand...
HostPath volumes must be forbidden.
Deployment 'RELEASE-NAME-promtail' should not set 'spec.template.volumes.hostPath' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv023
|
-| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
Deployment 'RELEASE-NAME-promtail' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
|
+| Rbac Security Check | KSV047 | Do not allow privilege escalation from node proxy | HIGH | Expand...
Check whether role permits privilege escalation from node proxy
Role permits privilege escalation from node proxy | Expand...
https://kubernetes.io/docs/concepts/security/rbac-good-practices/
https://avd.aquasec.com/misconfig/ksv047
|
## Containers
diff --git a/charts/dependency/redis/CHANGELOG.md b/charts/dependency/redis/CHANGELOG.md
index 908c120f3cf..05ef46c5cc5 100644
--- a/charts/dependency/redis/CHANGELOG.md
+++ b/charts/dependency/redis/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [redis-3.0.11](https://github.com/truecharts/apps/compare/redis-3.0.10...redis-3.0.11) (2022-06-17)
+
+#### Chore
+
+* update helm chart common to v10.0.13
+
+
+
### [redis-3.0.10](https://github.com/truecharts/apps/compare/redis-3.0.9...redis-3.0.10) (2022-06-17)
diff --git a/charts/dependency/redis/README.md b/charts/dependency/redis/README.md
index 8bfdfbfe350..94087ad5412 100644
--- a/charts/dependency/redis/README.md
+++ b/charts/dependency/redis/README.md
@@ -18,7 +18,7 @@ Kubernetes: `>=1.16.0-0`
| Repository | Name | Version |
|------------|------|---------|
-| https://library-charts.truecharts.org | common | 10.0.12 |
+| https://library-charts.truecharts.org | common | 10.0.13 |
## Installing the Chart
diff --git a/charts/dependency/redis/security.md b/charts/dependency/redis/security.md
index 24f41021a3e..13ec73c594e 100644
--- a/charts/dependency/redis/security.md
+++ b/charts/dependency/redis/security.md
@@ -17,18 +17,23 @@ hide:
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
-| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
-| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
-| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
|
-| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
StatefulSet 'RELEASE-NAME-redis' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.allowPrivilegeEscalation' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
|
+| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
|
+| Kubernetes Security Check | KSV017 | Privileged container | HIGH | Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.privileged' to false | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV020 | Runs with low user ID | LOW | Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsUser' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-redis' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV021 | Runs with low group ID | LOW | Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of StatefulSet 'RELEASE-NAME-redis' should set 'securityContext.runAsGroup' > 10000 | Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV030 | Default Seccomp profile not set | LOW | Expand...
The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
|
+| Kubernetes Security Check | KSV105 | Containers must not set runAsUser to 0 | LOW | Expand...
Containers should be forbidden from running with a root UID.
securityContext.runAsUser should be set to a value greater than 0 | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
+| Kubernetes Security Check | KSV106 | Container capabilities must only include NET_BIND_SERVICE | LOW | Expand...
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
container should drop all | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
|
## Containers
@@ -175,3 +180,9 @@ hide:
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| github.com/opencontainers/runc | CVE-2021-43784 | MEDIUM | v1.0.1 | v1.0.3 | Expand...
https://access.redhat.com/security/cve/CVE-2021-43784
https://bugs.chromium.org/p/project-zero/issues/detail?id=2241
https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html
https://nvd.nist.gov/vuln/detail/CVE-2021-43784
|
| github.com/opencontainers/runc | CVE-2022-24769 | MEDIUM | v1.0.1 | v1.1.2 | Expand...
http://www.openwall.com/lists/oss-security/2022/05/12/1
https://access.redhat.com/security/cve/CVE-2022-24769
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24769
https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f
https://github.com/moby/moby/releases/tag/v20.10.14
https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/
https://nvd.nist.gov/vuln/detail/CVE-2022-24769
https://www.debian.org/security/2022/dsa-5162
|
+
+**gobinary**
+
+
+| No Vulnerabilities found |
+|:---------------------------------|