Snyk - Open Source Security

Snyk test report

December 22nd 2024, 12:21:41 am (UTC+00:00)

Scanned the following path:
  • /argo-cd/manifests/namespace-install.yaml (Kubernetes)
43 total issues
Project manifests/namespace-install.yaml
Path /argo-cd/manifests/namespace-install.yaml
Project Type Kubernetes

Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 7] rules[0] resources
  • Line number: 77

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 8] rules[4] resources
  • Line number: 164

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 9] rules[0] resources
  • Line number: 192

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 10] rules[1] resources
  • Line number: 222

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 10] rules[3] resources
  • Line number: 240

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 11] rules[0] resources
  • Line number: 258

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Role or ClusterRole with dangerous permissions

medium severity

  • Public ID: SNYK-CC-K8S-47
  • Introduced through: [DocId: 12] rules[0] resources
  • Line number: 280

Impact

Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

Remediation

Consider removing these permissions


Container could be running with outdated image

low severity

  • Public ID: SNYK-CC-K8S-42
  • Introduced through: [DocId: 39] spec template spec initContainers[secret-init] imagePullPolicy
  • Line number: 1156

Impact

The container may run with outdated or unauthorized image

Remediation

Set `imagePullPolicy` attribute to `Always`


Container could be running with outdated image

low severity

  • Public ID: SNYK-CC-K8S-42
  • Introduced through: [DocId: 40] spec template spec initContainers[copyutil] imagePullPolicy
  • Line number: 1463

Impact

The container may run with outdated or unauthorized image

Remediation

Set `imagePullPolicy` attribute to `Always`


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 36] input spec template spec containers[argocd-applicationset-controller] resources limits cpu
  • Line number: 675

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 37] input spec template spec initContainers[copyutil] resources limits cpu
  • Line number: 958

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 37] input spec template spec containers[dex] resources limits cpu
  • Line number: 912

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 38] input spec template spec containers[argocd-notifications-controller] resources limits cpu
  • Line number: 1020

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 39] input spec template spec containers[redis] resources limits cpu
  • Line number: 1127

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 39] input spec template spec initContainers[secret-init] resources limits cpu
  • Line number: 1151

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 40] input spec template spec initContainers[copyutil] resources limits cpu
  • Line number: 1463

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 40] input spec template spec containers[argocd-repo-server] resources limits cpu
  • Line number: 1210

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 41] input spec template spec containers[argocd-server] resources limits cpu
  • Line number: 1550

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container has no CPU limit

low severity

  • Public ID: SNYK-CC-K8S-5
  • Introduced through: [DocId: 42] input spec template spec containers[argocd-application-controller] resources limits cpu
  • Line number: 1948

Impact

CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

Remediation

Add `resources.limits.cpu` field with required CPU limit value


Container is running with multiple open ports

low severity

  • Public ID: SNYK-CC-K8S-36
  • Introduced through: [DocId: 37] spec template spec containers[dex] ports
  • Line number: 938

Impact

Increases the attack surface of the application and the container.

Remediation

Reduce `ports` count to 2


Container is running without liveness probe

low severity

  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 36] spec template spec containers[argocd-applicationset-controller] livenessProbe
  • Line number: 675

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute


Container is running without liveness probe

low severity

  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 37] spec template spec containers[dex] livenessProbe
  • Line number: 912

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute


Container is running without liveness probe

low severity

  • Public ID: SNYK-CC-K8S-41
  • Introduced through: [DocId: 39] spec template spec containers[redis] livenessProbe
  • Line number: 1127

Impact

Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

Remediation

Add `livenessProbe` attribute


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 36] input spec template spec containers[argocd-applicationset-controller] resources limits memory
  • Line number: 675

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 37] input spec template spec containers[dex] resources limits memory
  • Line number: 912

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 37] input spec template spec initContainers[copyutil] resources limits memory
  • Line number: 958

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 38] input spec template spec containers[argocd-notifications-controller] resources limits memory
  • Line number: 1020

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 39] input spec template spec containers[redis] resources limits memory
  • Line number: 1127

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 39] input spec template spec initContainers[secret-init] resources limits memory
  • Line number: 1151

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 40] input spec template spec initContainers[copyutil] resources limits memory
  • Line number: 1463

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 40] input spec template spec containers[argocd-repo-server] resources limits memory
  • Line number: 1210

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 41] input spec template spec containers[argocd-server] resources limits memory
  • Line number: 1550

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container is running without memory limit

low severity

  • Public ID: SNYK-CC-K8S-4
  • Introduced through: [DocId: 42] input spec template spec containers[argocd-application-controller] resources limits memory
  • Line number: 1948

Impact

Containers without memory limits are more likely to be terminated when the node runs out of memory

Remediation

Set `resources.limits.memory` value


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 36] input spec template spec containers[argocd-applicationset-controller] securityContext runAsUser
  • Line number: 834

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 37] input spec template spec initContainers[copyutil] securityContext runAsUser
  • Line number: 966

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 37] input spec template spec containers[dex] securityContext runAsUser
  • Line number: 941

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 38] input spec template spec containers[argocd-notifications-controller] securityContext runAsUser
  • Line number: 1059

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 39] input spec template spec containers[redis] securityContext runAsUser
  • Line number: 1144

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 39] input spec template spec initContainers[secret-init] securityContext runAsUser
  • Line number: 1158

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 40] input spec template spec initContainers[copyutil] securityContext runAsUser
  • Line number: 1470

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 40] input spec template spec containers[argocd-repo-server] securityContext runAsUser
  • Line number: 1436

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 41] input spec template spec containers[argocd-server] securityContext runAsUser
  • Line number: 1847

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence


Container's or Pod's UID could clash with host's UID

low severity

  • Public ID: SNYK-CC-K8S-11
  • Introduced through: [DocId: 42] input spec template spec containers[argocd-application-controller] securityContext runAsUser
  • Line number: 2181

Impact

UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

Remediation

Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence