Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

snyk test found some issues in kubearmor deployment #733

Open
rksharma95 opened this issue Jun 9, 2022 · 2 comments
Open

snyk test found some issues in kubearmor deployment #733

rksharma95 opened this issue Jun 9, 2022 · 2 comments

Comments

@rksharma95
Copy link
Collaborator

snyk reported some vulnerabilities that are found in kubearmor. Some of these are high priority issues.
All the reported issues here are common to all the various kubearmor deployments i.e. AKS, EKS, GKE, etc. and the proposed solution for an issue can be generalized for all deployments.

issue no. vulnerability affected resource(s) source file
1 https://snyk.io/security-rules/SNYK-CC-K8S-2 kubearmor daemon https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L167
2 https://snyk.io/security-rules/SNYK-CC-K8S-1 kubearmor daemon https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L100
3 https://snyk.io/security-rules/SNYK-CC-K8S-46 cluster role https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L9
4 https://snyk.io/security-rules/SNYK-CC-K8S-6 kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
5 https://snyk.io/security-rules/SNYK-CC-K8S-14 kubearmor https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L128
6 https://snyk.io/security-rules/SNYK-CC-K8S-3 kubearmor https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L129
7 https://snyk.io/security-rules/SNYK-CC-K8S-9 kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
8 https://snyk.io/security-rules/SNYK-CC-K8S-10 kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
9 https://snyk.io/security-rules/SNYK-CC-K8S-42 kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
10 https://snyk.io/security-rules/SNYK-CC-K8S-5 kubearmor-daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L82 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
11 https://snyk.io/security-rules/SNYK-CC-K8S-8 kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
12 https://snyk.io/security-rules/SNYK-CC-K8S-32 kubearmor daemon https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L75
13 https://snyk.io/security-rules/SNYK-CC-K8S-41 kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
14 https://snyk.io/security-rules/SNYK-CC-K8S-4 kubearmor-daemon kubearmor-relay https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L82 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
@nyrahul
Copy link
Contributor

nyrahul commented Jun 9, 2022

Hey @rksharma95 , can you please attach the full synk report here as well? Thanks

@nyrahul nyrahul added this to the v0.6 milestone Jul 4, 2022
@achrefbensaad achrefbensaad mentioned this issue Jul 8, 2022
Open
@achrefbensaad
Copy link
Member

achrefbensaad commented Jul 8, 2022
edited
Loading

Issue no Synk severity Adjusted severity Reasoning
1 High Meduim The socket is used to communicate with the runtime to gather necessary informayions on the node , in addition the socket is mounted in readonly mode N/A (design constraint)
2 High High - N/A we need privilleged mode to mount the ebpf program to the kernel
3 Meduim High Kubearmor is running as a cluster admin
4 Meduim Meduim - #763
5 Meduim Meduim - N/A required by kubearmor
6 Meduim Meduim - N/A required by kubearmor
7 Meduim Meduim - cannot set this flag to false as we are running kubearmor in privileged mode
8 Meduim Low Kubearmor expect to be run as root user N/A
9 Low Low - Yaml used for test purposes
10 Low - - can be determined based on the result of this Issue
11 Low Low - #762
12 Low Issue
13 Low Low kubearmor/kubearmor-relay-server#18 #764
14 Low - can be determined based on the result of this Issue

This was referenced Jul 8, 2022
Open
Closed
Open
Open
@nyrahul nyrahul modified the milestones: v0.6, v0.7 Aug 12, 2022
@nyrahul nyrahul moved this to 🆕 New in v0.7 Backlog, Release Plan Sep 8, 2022
@nyrahul nyrahul removed this from the v0.7 milestone Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nyrahul @achrefbensaad @rksharma95