mirror of
https://github.com/intel/intel-device-plugins-for-kubernetes.git
synced 2025-06-03 03:59:37 +00:00
36 lines
1.4 KiB
Plaintext
36 lines
1.4 KiB
Plaintext
# Image user should not be ‘root’
|
||
# Running containers with ‘root’ user can lead to a container escape situation.
|
||
# It is a best practice to run containers as non-root users, which can be done by
|
||
# adding # a ‘USER’ statement to the Dockerfile.
|
||
AVD-DS-0002
|
||
|
||
# Privileged containers share namespaces with the host system and do not offer any security.
|
||
# They should be used exclusively for system containers that require high # privileges.
|
||
# initcontainers require privileged access
|
||
AVD-KSV-0017
|
||
|
||
# Do not allow privilege escalation from node proxy
|
||
# Check whether role permits privilege escalation from node proxy
|
||
# gpu plugin in kubelet mode requires "nodes/proxy" resource access
|
||
AVD-KSV-0047
|
||
|
||
# Do not allow update/create of a malicious pod
|
||
# Check whether role permits update/create of a malicious pod
|
||
# device plugin operator requires access to daemonset creation etc.
|
||
AVD-KSV-0048
|
||
|
||
# HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts.
|
||
# Some plugins require access to various host paths
|
||
AVD-KSV-0121
|
||
|
||
# Ignore invalid "readOnlyRootFilesystem" detections
|
||
AVD-KSV-0014
|
||
|
||
# Trivy invalidly detects securityContext issues from yaml
|
||
# files that are patch files
|
||
AVD-KSV-0118
|
||
|
||
# Ignore GitRepo volume vulnerability as we don't use it and it might not
|
||
# receive a fix due to being a deprecated feature.
|
||
CVE-2025-1767
|