description:"Log file name for the scan report. You will find this report in /logs/FILENAME_DATEFORMAT"
schema:
type:string
default:"clamscan_report"
required:true
- variable:date_format
label:"Date Format"
description:"Date format for the log file"
schema:
type:string
default:"MM-DD-YYYY_HH.MM.SS"
required:true
enum:
- value:"+%m-%d-%Y_%H.%M.%S"
description:"MM-DD-YYYY_HH.MM.SS"
- value:"+%Y-%m-%d_%H.%M.%S"
description:"YYYY-MM-DD_HH.MM.SS"
- value:"+%H.%M.%S_%m-%d-%Y"
description:"HH.MM.SS_MM-DD-YYYY"
- value:"+%H.%M.%S_%Y-%m-%d"
description:"HH.MM.SS_YYYY-MM-DD"
- variable:extra_args
label:"Extra Args"
description:"Set extra args for clamscan here. (https://linux.die.net/man/1/clamscan). We already set --log, --database and --recursive. Do not add those here."
schema:
type:string
default:""
- variable:TZ
label:"Timezone"
@@ -1010,7 +1062,170 @@ questions:
type:string
- variable:scandir
label:"App Scan Dir Storage"
description:"Stores the Application Scan Directory."
description:"Stores the Application Scan Directory. (By default set to readOnly)"
schema:
additional_attrs:true
type:dict
attrs:
- variable:type
label:"Type of Storage"
description:"Sets the persistence type, Anything other than PVC could break rollback!"
schema:
type:string
default:"simplePVC"
enum:
- value:"simplePVC"
description:"PVC (simple)"
- value:"simpleHP"
description:"HostPath (simple)"
- value:"emptyDir"
description:"emptyDir"
- value:"pvc"
description:"pvc"
- value:"hostPath"
description:"hostPath"
- variable:setPermissionsSimple
label:"Automatic Permissions"
description:"Automatically set permissions on install"
schema:
show_if:[["type","=","simpleHP"]]
type:boolean
default:true
- variable:setPermissions
label:"Automatic Permissions"
description:"Automatically set permissions on install"
schema:
show_if:[["type","=","hostPath"]]
type:boolean
default:true
- variable:readOnly
label:"readOnly"
schema:
type:boolean
default:false
- variable:hostPathSimple
label:"hostPath"
description:"Path inside the container the storage is mounted"
schema:
show_if:[["type","=","simpleHP"]]
type:hostpath
- variable:hostPath
label:"hostPath"
description:"Path inside the container the storage is mounted"
schema:
show_if:[["type","=","hostPath"]]
type:hostpath
- variable:medium
label:"EmptyDir Medium"
schema:
show_if:[["type","=","emptyDir"]]
type:string
default:""
enum:
- value:""
description:"Default"
- value:"Memory"
description:"Memory"
- variable:size
label:"Size quotum of storage"
schema:
show_if:[["type","=","pvc"]]
type:string
default:"999Gi"
- variable:hostPathType
label:"(Advanced) hostPath Type"
schema:
show_if:[["type","=","hostPath"]]
type:string
default:""
enum:
- value:""
description:"Default"
- value:"DirectoryOrCreate"
description:"DirectoryOrCreate"
- value:"Directory"
description:"Directory"
- value:"FileOrCreate"
description:"FileOrCreate"
- value:"File"
description:"File"
- value:"Socket"
description:"Socket"
- value:"CharDevice"
description:"CharDevice"
- value:"BlockDevice"
description:"BlockDevice"
- variable:storageClass
label:"(Advanced) storageClass"
description:"Warning: Anything other than SCALE-ZFS or empty will break rollback!"
schema:
show_if:[["type","=","pvc"]]
type:string
default:"SCALE-ZFS"
- variable:accessMode
label:"(Advanced) Access Mode"
description:"Allow or disallow multiple PVC's writhing to the same PV"
| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | <details><summary>Expand...</summary> A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. <br> <hr> <br> Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.allowPrivilegeEscalation' to false </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv001">https://avd.aquasec.com/appshield/ksv001</a><br></details> |
| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | <details><summary>Expand...</summary> A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.allowPrivilegeEscalation' to false </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv001">https://avd.aquasec.com/appshield/ksv001</a><br></details> |
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | <details><summary>Expand...</summary> The container should drop all default capabilities and add only those that are needed for its execution. <br> <hr> <br> Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should add 'ALL' to 'securityContext.capabilities.drop' </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/">https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/</a><br><a href="https://avd.aquasec.com/appshield/ksv003">https://avd.aquasec.com/appshield/ksv003</a><br></details> |
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | <details><summary>Expand...</summary> The container should drop all default capabilities and add only those that are needed for its execution. <br> <hr> <br> Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should add 'ALL' to 'securityContext.capabilities.drop' </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/">https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/</a><br><a href="https://avd.aquasec.com/appshield/ksv003">https://avd.aquasec.com/appshield/ksv003</a><br></details> |
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | <details><summary>Expand...</summary> The container should drop all default capabilities and add only those that are needed for its execution. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should add 'ALL' to 'securityContext.capabilities.drop' </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/">https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/</a><br><a href="https://avd.aquasec.com/appshield/ksv003">https://avd.aquasec.com/appshield/ksv003</a><br></details> |
| Kubernetes Security Check | KSV011 | CPU not limited | LOW | <details><summary>Expand...</summary> Enforcing CPU limits prevents DoS via resource exhaustion. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.limits.cpu' </details>| <details><summary>Expand...</summary><a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits">https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits</a><br><a href="https://avd.aquasec.com/appshield/ksv011">https://avd.aquasec.com/appshield/ksv011</a><br></details> |
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | <details><summary>Expand...</summary> 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsNonRoot' to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details> |
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | <details><summary>Expand...</summary> 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsNonRoot' to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details> |
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | <details><summary>Expand...</summary> 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.runAsNonRoot' to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details> |
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | <details><summary>Expand...</summary> 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsNonRoot' to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details> |
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.readOnlyRootFilesystem' to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details> |
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.readOnlyRootFilesystem' to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details> |
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.readOnlyRootFilesystem' to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details> |
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.readOnlyRootFilesystem' to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details> |
| Kubernetes Security Check | KSV015 | CPU requests not specified | LOW | <details><summary>Expand...</summary> When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.requests.cpu' </details>| <details><summary>Expand...</summary><a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits">https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits</a><br><a href="https://avd.aquasec.com/appshield/ksv015">https://avd.aquasec.com/appshield/ksv015</a><br></details> |
| Kubernetes Security Check | KSV016 | Memory requests not specified | LOW | <details><summary>Expand...</summary> When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.requests.memory' </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-resources-limits-memory/">https://kubesec.io/basics/containers-resources-limits-memory/</a><br><a href="https://avd.aquasec.com/appshield/ksv016">https://avd.aquasec.com/appshield/ksv016</a><br></details> |
@@ -33,10 +37,13 @@ hide:
| Kubernetes Security Check | KSV018 | Memory not limited | LOW | <details><summary>Expand...</summary> Enforcing memory limits prevents DoS via resource exhaustion. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.limits.memory' </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-resources-limits-memory/">https://kubesec.io/basics/containers-resources-limits-memory/</a><br><a href="https://avd.aquasec.com/appshield/ksv018">https://avd.aquasec.com/appshield/ksv018</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsUser' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsUser' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.runAsUser' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsUser' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsGroup' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsGroup' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.runAsGroup' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table. <br> <hr> <br> Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsGroup' > 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV023 | hostPath volumes mounted | MEDIUM | <details><summary>Expand...</summary> HostPath volumes must be forbidden. <br> <hr> <br> CronJob 'RELEASE-NAME-clamav-cronjob' should not set 'spec.template.volumes.hostPath' </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline">https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline</a><br><a href="https://avd.aquasec.com/appshield/ksv023">https://avd.aquasec.com/appshield/ksv023</a><br></details> |
| Kubernetes Security Check | KSV023 | hostPath volumes mounted | MEDIUM | <details><summary>Expand...</summary> HostPath volumes must be forbidden. <br> <hr> <br> Deployment 'RELEASE-NAME-clamav' should not set 'spec.template.volumes.hostPath' </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline">https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline</a><br><a href="https://avd.aquasec.com/appshield/ksv023">https://avd.aquasec.com/appshield/ksv023</a><br></details> |
| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | <details><summary>Expand...</summary> Containers should be forbidden from running with a root primary or supplementary GID. <br> <hr> <br> Deployment 'RELEASE-NAME-clamav' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv029">https://avd.aquasec.com/appshield/ksv029</a><br></details> |
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.