KubeArmor snyk test found some issues in kubearmor deployment

snyk reported some vulnerabilities that are found in kubearmor. Some of these are high priority issues. All the reported issues here are common to all the various kubearmor deployments i.e. AKS, EKS, GKE, etc. and the proposed solution for an issue can be generalized for all deployments.

issue no.	vulnerability	affected resource(s)	source file
1	https://snyk.io/security-rules/SNYK-CC-K8S-2	kubearmor daemon	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L167
2	https://snyk.io/security-rules/SNYK-CC-K8S-1	kubearmor daemon	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L100
3	https://snyk.io/security-rules/SNYK-CC-K8S-46	cluster role	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L9
4	https://snyk.io/security-rules/SNYK-CC-K8S-6	kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
5	https://snyk.io/security-rules/SNYK-CC-K8S-14	kubearmor	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L128
6	https://snyk.io/security-rules/SNYK-CC-K8S-3	kubearmor	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L129
7	https://snyk.io/security-rules/SNYK-CC-K8S-9	kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
8	https://snyk.io/security-rules/SNYK-CC-K8S-10	kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
9	https://snyk.io/security-rules/SNYK-CC-K8S-42	kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
10	https://snyk.io/security-rules/SNYK-CC-K8S-5	kubearmor-daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L82 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
11	https://snyk.io/security-rules/SNYK-CC-K8S-8	kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
12	https://snyk.io/security-rules/SNYK-CC-K8S-32	kubearmor daemon	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L75
13	https://snyk.io/security-rules/SNYK-CC-K8S-41	kubearmor-host-policy-manager kubearmor-policy-manager kubearmor daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L279 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L296 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L227 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L210 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L99 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55
14	https://snyk.io/security-rules/SNYK-CC-K8S-4	kubearmor-daemon kubearmor-relay	https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L82 https://github.com/kubearmor/KubeArmor/blob/main/deployments/docker/kubearmor.yaml#L55

Jun 09 '22 06:06 rksharma95

Hey @rksharma95 , can you please attach the full synk report here as well? Thanks

Jun 09 '22 07:06 nyrahul

Issue no Synk severity Adjusted severity Reasoning

1 High Meduim The socket is used to communicate with the runtime to gather necessary informayions on the node , in addition the socket is mounted in readonly mode N/A (design constraint)

2 High High - N/A we need privilleged mode to mount the ebpf program to the kernel

3 Meduim High Kubearmor is running as a cluster admin

4 Meduim Meduim - https://github.com/kubearmor/KubeArmor/issues/763

5 Meduim Meduim - N/A required by kubearmor

6 Meduim Meduim - N/A required by kubearmor

7 Meduim Meduim - cannot set this flag to false as we are running kubearmor in privileged mode

8 Meduim Low Kubearmor expect to be run as root user N/A

9 Low Low - Yaml used for test purposes

10 Low - - can be determined based on the result of this Issue

11 Low Low - https://github.com/kubearmor/KubeArmor/pull/762

12 Low Issue

13 Low Low https://github.com/kubearmor/kubearmor-relay-server/issues/18 https://github.com/kubearmor/KubeArmor/issues/764

14 Low - can be determined based on the result of this Issue

Issue no	Synk severity	Adjusted severity	Reasoning
1	High	Meduim	The socket is used to communicate with the runtime to gather necessary informayions on the node , in addition the socket is mounted in readonly mode	N/A (design constraint)
2	High	High	-	N/A we need privilleged mode to mount the ebpf program to the kernel
3	Meduim	High	Kubearmor is running as a cluster admin
4	Meduim	Meduim	-	https://github.com/kubearmor/KubeArmor/issues/763
5	Meduim	Meduim	-	N/A required by kubearmor
6	Meduim	Meduim	-	N/A required by kubearmor
7	Meduim	Meduim	-	cannot set this flag to false as we are running kubearmor in privileged mode
8	Meduim	Low	Kubearmor expect to be run as root user	N/A
9	Low	Low	-	Yaml used for test purposes
10	Low	-	-	can be determined based on the result of this Issue
11	Low	Low	-	https://github.com/kubearmor/KubeArmor/pull/762
12	Low			Issue
13	Low	Low		https://github.com/kubearmor/kubearmor-relay-server/issues/18 https://github.com/kubearmor/KubeArmor/issues/764
14	Low	-		can be determined based on the result of this Issue

Jul 08 '22 05:07 achrefbensaad