docs/assets/examples/json-report-sample.json
|
{
"checks": { "ingressHealth": { "Items": [], "Total": 0 }, "missingResourceLimits": { "Items": [ { "Namespace": "aks-istio-system", "Workload": "istiod-asm-1-23", "Kind": "Deployment", "Container": "discovery", "MissingRequests": "", "MissingLimits": "CPU, Memory" }, { "Namespace": "app-routing-system", "Workload": "nginx", "Kind": "Deployment", "Container": "controller", "MissingRequests": "", "MissingLimits": "CPU, Memory" }, { "Namespace": "argo-rollouts", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argo-workflows", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-applicationset-controller", "Kind": "Deployment", "Container": "argocd-applicationset-controller", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-dex-server", "Kind": "Deployment", "Container": "dex", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-dex-server", "Kind": "Deployment", "Container": "copyutil", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-notifications-controller", "Kind": "Deployment", "Container": "argocd-notifications-controller", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-haproxy", "Kind": "Deployment", "Container": "haproxy", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-haproxy", "Kind": "Deployment", "Container": "secret-init", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-haproxy", "Kind": "Deployment", "Container": "config-init", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-repo-server", "Kind": "Deployment", "Container": "argocd-repo-server", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-repo-server", "Kind": "Deployment", "Container": "copyutil", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-server", "Kind": "Deployment", "Container": "argocd-server", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "cert-manager", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "grafana", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "kiali-operator", "Workload": "kiali-operator", "Kind": "Deployment", "Container": "operator", "MissingRequests": "", "MissingLimits": "CPU, Memory" }, { "Namespace": "kubeview", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "linkerd", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "nginx", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "prometheus", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "sealed-secrets", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "test", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-application-controller", "Kind": "StatefulSet", "Container": "argocd-application-controller", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-server", "Kind": "StatefulSet", "Container": "redis", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-server", "Kind": "StatefulSet", "Container": "sentinel", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-server", "Kind": "StatefulSet", "Container": "split-brain-fix", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-server", "Kind": "StatefulSet", "Container": "config-init", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "kube-system", "Workload": "ama-metrics-win-node", "Kind": "DaemonSet", "Container": "prometheus-collector", "MissingRequests": "CPU, Memory", "MissingLimits": "" }, { "Namespace": "kube-system", "Workload": "azure-npm", "Kind": "DaemonSet", "Container": "block-wireserver", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "kube-system", "Workload": "kube-proxy", "Kind": "DaemonSet", "Container": "kube-proxy", "MissingRequests": "", "MissingLimits": "CPU, Memory" }, { "Namespace": "kube-system", "Workload": "kube-proxy", "Kind": "DaemonSet", "Container": "kube-proxy-bootstrap", "MissingRequests": "", "MissingLimits": "CPU, Memory" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-publisher-ds", "Kind": "DaemonSet", "Container": "old-file-cleaner", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "kube-system", "Workload": "retina-agent", "Kind": "DaemonSet", "Container": "retina-agent-init", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" }, { "Namespace": "kube-system", "Workload": "windows-kube-proxy-initializer", "Kind": "DaemonSet", "Container": "pause", "MissingRequests": "CPU, Memory", "MissingLimits": "CPU, Memory" } ], "Total": 35 }, "orphanedSecrets": { "Items": [ { "Namespace": "aks-istio-system", "Type": "🔑 Secret", "Name": "istio-ca-secret" }, { "Namespace": "argocd", "Type": "🔑 Secret", "Name": "argocd-initial-admin-secret" }, { "Namespace": "argocd", "Type": "🔑 Secret", "Name": "argocd-notifications-secret" }, { "Namespace": "argocd", "Type": "🔑 Secret", "Name": "argocd-secret" }, { "Namespace": "argocd", "Type": "🔑 Secret", "Name": "repo-1114886772" }, { "Namespace": "argocd", "Type": "🔑 Secret", "Name": "repo-1952242182" }, { "Namespace": "kube-system", "Type": "🔑 Secret", "Name": "aad-msi-auth-token" }, { "Namespace": "kube-system", "Type": "🔑 Secret", "Name": "azure-policy-webhook-cert" }, { "Namespace": "kube-system", "Type": "🔑 Secret", "Name": "extensions-aad-msi-token" }, { "Namespace": "kube-system", "Type": "🔑 Secret", "Name": "omsagent-aad-msi-token" } ], "Total": 10 }, "rbacOverexposure": { "Items": [ { "Namespace": "🌍 Cluster-Wide", "Binding": "aks-cluster-admin-binding", "Subject": "User/clusterAdmin", "Role": "cluster-admin", "Scope": "ClusterRoleBinding", "Risk": "❗ cluster-admin (built-in role)", "Severity": "Critical", "Recommendation": "Replace with a least-privilege ClusterRole. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "aks-cluster-admin-binding", "Subject": "User/clusterUser", "Role": "cluster-admin", "Scope": "ClusterRoleBinding", "Risk": "❗ cluster-admin (built-in role)", "Severity": "Critical", "Recommendation": "Replace with a least-privilege ClusterRole. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "aks-cluster-admin-binding-aad", "Subject": "Group/e591c663-c79c-47a4-94b8-f646b8647046", "Role": "cluster-admin", "Scope": "ClusterRoleBinding", "Risk": "❗ cluster-admin (built-in role)", "Severity": "Critical", "Recommendation": "Replace with a least-privilege ClusterRole. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "aks-secretprovidersyncing-rolebinding", "Subject": "ServiceAccount/aks-secrets-store-csi-driver", "Role": "aks-secretprovidersyncing-role", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "aks-service-rolebinding", "Subject": "User/aks-support", "Role": "aks-service", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "argocd-application-controller", "Subject": "ServiceAccount/argocd-application-controller", "Role": "argocd-application-controller", "Scope": "ClusterRoleBinding", "Risk": "⚠️ wildcard access", "Severity": "High", "Recommendation": "Restrict the ClusterRole to specific verbs, resources, and apiGroups." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "cluster-admin", "Subject": "Group/system:masters", "Role": "cluster-admin", "Scope": "ClusterRoleBinding", "Risk": "❗ cluster-admin (built-in role)", "Severity": "Critical", "Recommendation": "Replace with a least-privilege ClusterRole. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "extension-operator", "Subject": "ServiceAccount/extension-operatorsa", "Role": "cluster-admin", "Scope": "ClusterRoleBinding", "Risk": "❗ cluster-admin (built-in role)", "Severity": "Critical", "Recommendation": "Replace with a least-privilege ClusterRole. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "kiali-operator", "Subject": "ServiceAccount/kiali-operator", "Role": "kiali-operator", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "system:controller:clusterrole-aggregation-controller", "Subject": "ServiceAccount/clusterrole-aggregation-controller", "Role": "system:controller:clusterrole-aggregation-controller", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access (built-in role)", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "system:controller:legacy-service-account-token-cleaner", "Subject": "ServiceAccount/legacy-service-account-token-cleaner", "Role": "system:controller:legacy-service-account-token-cleaner", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access (built-in role)", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "system:kube-controller-manager", "Subject": "User/system:kube-controller-manager", "Role": "system:kube-controller-manager", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access (built-in role)", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "system:kube-scheduler", "Subject": "User/system:kube-scheduler", "Role": "system:kube-scheduler", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access (built-in role)", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "🌍 Cluster-Wide", "Binding": "system:persistent-volume-binding", "Subject": "ServiceAccount/persistent-volume-binder", "Role": "system:persistent-volume-secret-operator", "Scope": "ClusterRoleBinding", "Risk": "⚠️ sensitive resource access (built-in role)", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec. This is a built-in Kubernetes role; proceed with caution when modifying." }, { "Namespace": "aks-istio-system", "Binding": "istiod-asm-1-23", "Subject": "ServiceAccount/istiod-asm-1-23", "Role": "istiod-asm-1-23", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "argocd", "Binding": "argocd-redis-ha-haproxy", "Subject": "ServiceAccount/argocd-redis-ha-haproxy", "Role": "argocd-redis-ha-haproxy", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "argocd", "Binding": "argocd-server", "Subject": "ServiceAccount/argocd-server", "Role": "argocd-server", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "gatekeeper-system", "Binding": "gatekeeper-manager-rolebinding", "Subject": "ServiceAccount/gatekeeper-admin", "Role": "gatekeeper-manager-role", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "kube-system", "Binding": "azure-policy-webhook-rolebinding", "Subject": "ServiceAccount/azure-policy-webhook-account", "Role": "azure-policy-webhook-role", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "kube-system", "Binding": "keda-operator-certs", "Subject": "ServiceAccount/keda-operator", "Role": "keda-operator-certs", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." }, { "Namespace": "kube-system", "Binding": "system:controller:token-cleaner", "Subject": "ServiceAccount/token-cleaner", "Role": "system:controller:token-cleaner", "Scope": "RoleBinding", "Risk": "⚠️ sensitive resource access", "Severity": "High", "Recommendation": "Restrict access to sensitive resources like secrets or pods/exec." } ], "Total": 21 }, "emptyNamespace": { "TotalEmptyNamespaces": 14, "Namespaces": [ "1", "10", "2", "3", "4", "5", "6", "7", "8", "9", "aks-istio-egress", "default", "kube-node-lease", "kube-public" ] }, "resourceQuotas": { "Items": [ { "Namespace": "1", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "10", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "2", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "3", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "4", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "5", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "6", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "7", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "8", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "9", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "aks-istio-egress", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "aks-istio-ingress", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "aks-istio-system", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "app-routing-system", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "argo-rollouts", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "argo-workflows", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "argocd", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "cert-manager", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "default", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "gatekeeper-system", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "grafana", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "kiali-operator", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "kube-node-lease", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "kube-public", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "kube-system", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "kubeview", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "linkerd", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "nginx", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "pets", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "prometheus", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "sealed-secrets", "Issue": "❌ No ResourceQuota defined" }, { "Namespace": "test", "Issue": "❌ No ResourceQuota defined" } ], "Total": 32 }, "leftoverDebug": { "Items": [], "Total": 0 }, "hostPidNet": { "Items": [ { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-5wpww", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-74vvm", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-c6x7x", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-dhr9b", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-tvsv4", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-wxfc8", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-7lxpz", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-c6xzh", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-k4nc9", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-v7qfj", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-x4zch", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-z8vqr", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-npm-559xn", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-npm-7sp9m", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-npm-chwl2", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-npm-g5hx8", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-npm-x6g85", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "azure-npm-xjh28", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-7r45z", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-lstsj", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-mwl6j", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-p7rf6", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-swp7f", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-vnbh9", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "kube-proxy-22hgl", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "kube-proxy-8dlr6", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "kube-proxy-fh5fr", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "kube-proxy-gb78q", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "kube-proxy-mb2c4", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "kube-proxy-nq2sj", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "retina-agent-62scz", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "retina-agent-ds69z", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "retina-agent-h5wrd", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "retina-agent-p74qf", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "retina-agent-r2bvv", "hostPID": "✅ false", "hostNetwork": "❌ true" }, { "Namespace": "kube-system", "Pod": "retina-agent-xcvmn", "hostPID": "✅ false", "hostNetwork": "❌ true" } ], "Total": 36 }, "orphanedConfigMaps": { "Items": [ { "Namespace": "aks-istio-system", "Type": "📜 ConfigMap", "Name": "istio-asm-1-23" }, { "Namespace": "aks-istio-system", "Type": "📜 ConfigMap", "Name": "istio-gateway-status-leader" }, { "Namespace": "aks-istio-system", "Type": "📜 ConfigMap", "Name": "istio-leader" }, { "Namespace": "aks-istio-system", "Type": "📜 ConfigMap", "Name": "istio-namespace-controller-election" }, { "Namespace": "aks-istio-system", "Type": "📜 ConfigMap", "Name": "istio-sidecar-injector-asm-1-23" }, { "Namespace": "app-routing-system", "Type": "📜 ConfigMap", "Name": "nginx" }, { "Namespace": "argocd", "Type": "📜 ConfigMap", "Name": "argocd-notifications-cm" }, { "Namespace": "argocd", "Type": "📜 ConfigMap", "Name": "argocd-rbac-cm" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "azure-ip-masq-agent-config-reconciled" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "cluster-autoscaler-status" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "container-azm-ms-aks-k8scluster" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "coredns-autoscaler" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "extension-apiserver-authentication" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "extension-immutable-values" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "extensioncontrollerleaderid-lock" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "konnectivity-agent-autoscaler" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "kube-apiserver-legacy-service-account-token-tracking" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "overlay-upgrade-data" }, { "Namespace": "kube-system", "Type": "📜 ConfigMap", "Name": "retina-config-win" } ], "Total": 19 }, "podsRoot": { "Items": [ { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-2q886", "Container": "discovery", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-kffzl", "Container": "discovery", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argo-rollouts", "Pod": "simple-deployment-74fd649f8d-6nsqn", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argo-workflows", "Pod": "simple-deployment-74fd649f8d-xh6fc", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-application-controller-0", "Container": "argocd-application-controller", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-applicationset-controller-6fdf84dbb6-dxmmk", "Container": "argocd-applicationset-controller", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-dex-server-556c76889-kspcg", "Container": "dex", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-notifications-controller-6ff6bf8dd6-2jmv8", "Container": "argocd-notifications-controller", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-8r5mv", "Container": "argocd-repo-server", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-q2tbb", "Container": "argocd-repo-server", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-server-5df7b9f58d-7s5qh", "Container": "argocd-server", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "argocd", "Pod": "argocd-server-5df7b9f58d-rrxzz", "Container": "argocd-server", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "cert-manager", "Pod": "simple-deployment-74fd649f8d-ps8ll", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "grafana", "Pod": "simple-deployment-74fd649f8d-f52jv", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kiali-operator", "Pod": "kiali-5b88cfb6f8-9wxkc", "Container": "kiali", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kiali-operator", "Pod": "kiali-operator-696bd54db-cv6fc", "Container": "operator", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7ghbq", "Container": "node-driver-registrar", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7ghbq", "Container": "secrets-store", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7ghbq", "Container": "liveness-probe", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-dg79g", "Container": "node-driver-registrar", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-dg79g", "Container": "secrets-store", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-dg79g", "Container": "liveness-probe", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-h8s4k", "Container": "node-driver-registrar", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-h8s4k", "Container": "secrets-store", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-h8s4k", "Container": "liveness-probe", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-hpc6x", "Container": "node-driver-registrar", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-hpc6x", "Container": "secrets-store", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-hpc6x", "Container": "liveness-probe", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-v7qxk", "Container": "node-driver-registrar", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-v7qxk", "Container": "secrets-store", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-v7qxk", "Container": "liveness-probe", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-xf5d4", "Container": "node-driver-registrar", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-xf5d4", "Container": "secrets-store", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-xf5d4", "Container": "liveness-probe", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-5wpww", "Container": "provider-azure-installer", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-74vvm", "Container": "provider-azure-installer", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-c6x7x", "Container": "provider-azure-installer", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-dhr9b", "Container": "provider-azure-installer", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-tvsv4", "Container": "provider-azure-installer", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-wxfc8", "Container": "provider-azure-installer", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-cz28v", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-cz28v", "Container": "ama-logs-prometheus", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-d92qr", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-d92qr", "Container": "ama-logs-prometheus", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-qlh7j", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-qlh7j", "Container": "ama-logs-prometheus", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-rqbvf", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-rqbvf", "Container": "ama-logs-prometheus", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-22kzv", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-x4x2r", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-x4x2r", "Container": "ama-logs-prometheus", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-zxwzq", "Container": "ama-logs", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-logs-zxwzq", "Container": "ama-logs-prometheus", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-7k97h", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-7k97h", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q5llb", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q5llb", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-5qnn7", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-5qnn7", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6wx54", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6wx54", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-bp2db", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-bp2db", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nw9c8", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nw9c8", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-qpq4d", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-qpq4d", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-rtdhh", "Container": "prometheus-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-rtdhh", "Container": "addon-token-adapter", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-jfwrg", "Container": "targetallocator", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-jfwrg", "Container": "config-reader", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-7lxpz", "Container": "azure-ip-masq-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-c6xzh", "Container": "azure-ip-masq-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-k4nc9", "Container": "azure-ip-masq-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-v7qfj", "Container": "azure-ip-masq-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-x4zch", "Container": "azure-ip-masq-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-z8vqr", "Container": "azure-ip-masq-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-npm-559xn", "Container": "azure-npm", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-npm-7sp9m", "Container": "azure-npm", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-npm-chwl2", "Container": "azure-npm", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-npm-g5hx8", "Container": "azure-npm", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-npm-x6g85", "Container": "azure-npm", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-npm-xjh28", "Container": "azure-npm", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-2mgdj", "Container": "azure-policy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-7r45z", "Container": "cloud-node-manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-lstsj", "Container": "cloud-node-manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-mwl6j", "Container": "cloud-node-manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-p7rf6", "Container": "cloud-node-manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-swp7f", "Container": "cloud-node-manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-vnbh9", "Container": "cloud-node-manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-dgvc7", "Container": "coredns", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-sghts", "Container": "coredns", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "coredns-autoscaler-5955d6bbdb-s2gk7", "Container": "autoscaler", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000m-zxfzm", "Container": "collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000m-zxfzm", "Container": "remover", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000m-zxfzm", "Container": "trivy-scanner", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000n-ck6hm", "Container": "collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000n-ck6hm", "Container": "remover", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000n-ck6hm", "Container": "trivy-scanner", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000o-kpb2b", "Container": "collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000o-kpb2b", "Container": "remover", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000o-kpb2b", "Container": "trivy-scanner", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-workloadpool-10479701-vmss00000e-9mcf6", "Container": "collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-workloadpool-10479701-vmss00000e-9mcf6", "Container": "remover", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "eraser-aks-workloadpool-10479701-vmss00000e-9mcf6", "Container": "trivy-scanner", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-rczq6", "Container": "extension-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-rczq6", "Container": "fluent-bit", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-gfw8s", "Container": "manager", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-gfw8s", "Container": "fluent-bit", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-9f65c5cd8-jrr7v", "Container": "konnectivity-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-9f65c5cd8-w2zdz", "Container": "konnectivity-agent", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-autoscaler-cdfc7c46-hldwj", "Container": "autoscaler", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "kube-proxy-22hgl", "Container": "kube-proxy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "kube-proxy-8dlr6", "Container": "kube-proxy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "kube-proxy-fh5fr", "Container": "kube-proxy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "kube-proxy-gb78q", "Container": "kube-proxy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "kube-proxy-mb2c4", "Container": "kube-proxy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "kube-proxy-nq2sj", "Container": "kube-proxy", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-kqfft", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-kqfft", "Container": "microsoft-defender-low-level-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mxck9", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mxck9", "Container": "microsoft-defender-low-level-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-pnlvq", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-pnlvq", "Container": "microsoft-defender-low-level-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-r57j5", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-r57j5", "Container": "microsoft-defender-low-level-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-rzv62", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-rzv62", "Container": "microsoft-defender-low-level-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-zb6fd", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-zb6fd", "Container": "microsoft-defender-low-level-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-misc-7df6776447-x9vzw", "Container": "microsoft-defender-pod-collector", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-9glts", "Container": "microsoft-defender-publisher", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-bsthb", "Container": "microsoft-defender-publisher", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-dwpb7", "Container": "microsoft-defender-publisher", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-hdpvx", "Container": "microsoft-defender-publisher", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-n8rx5", "Container": "microsoft-defender-publisher", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-qxcd9", "Container": "microsoft-defender-publisher", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "retina-agent-62scz", "Container": "retina", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "retina-agent-ds69z", "Container": "retina", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "retina-agent-h5wrd", "Container": "retina", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "retina-agent-p74qf", "Container": "retina", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "retina-agent-r2bvv", "Container": "retina", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kube-system", "Pod": "retina-agent-xcvmn", "Container": "retina", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "kubeview", "Pod": "simple-deployment-74fd649f8d-9d5gt", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "linkerd", "Pod": "simple-deployment-74fd649f8d-5bztq", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "nginx", "Pod": "simple-deployment-74fd649f8d-hf4dd", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-9jjrw", "Container": "order-service", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-h4495", "Container": "product-service", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Container": "rabbitmq", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-8b7jr", "Container": "store-front", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "prometheus", "Pod": "simple-deployment-74fd649f8d-6r55l", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "sealed-secrets", "Pod": "simple-deployment-74fd649f8d-66bwl", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" }, { "Namespace": "test", "Pod": "simple-deployment-74fd649f8d-lgft6", "Container": "webserver-simple", "runAsUser": "Not Set (Defaults to root)" } ], "Total": 153 }, "orphanedServiceAccounts": { "Items": [ { "Namespace": "1", "Name": "default" }, { "Namespace": "10", "Name": "default" }, { "Namespace": "2", "Name": "default" }, { "Namespace": "3", "Name": "default" }, { "Namespace": "4", "Name": "default" }, { "Namespace": "5", "Name": "default" }, { "Namespace": "6", "Name": "default" }, { "Namespace": "7", "Name": "default" }, { "Namespace": "8", "Name": "default" }, { "Namespace": "9", "Name": "default" }, { "Namespace": "aks-istio-egress", "Name": "default" }, { "Namespace": "aks-istio-ingress", "Name": "default" }, { "Namespace": "aks-istio-system", "Name": "default" }, { "Namespace": "app-routing-system", "Name": "default" }, { "Namespace": "argocd", "Name": "default" }, { "Namespace": "default", "Name": "default" }, { "Namespace": "gatekeeper-system", "Name": "default" }, { "Namespace": "kiali-operator", "Name": "default" }, { "Namespace": "kube-node-lease", "Name": "default" }, { "Namespace": "kube-public", "Name": "default" } ], "Total": 20 }, "orphanedRoles": { "Items": [ { "Namespace": "🌍 Cluster-Wide", "Role": "system:node", "Type": "ClusterRoleBinding", "Issue": "🚩 No subjects defined", "Severity": "Low", "Recommendation": "Delete the ClusterRoleBinding as it has no effect." }, { "Namespace": "🌍 Cluster-Wide", "Role": "aks-secretproviderclasses-admin-role", "Type": "ClusterRole", "Issue": "⚠️ Unused ClusterRole", "Severity": "Low", "Recommendation": "Delete the unused ClusterRole to reduce clutter." }, { "Namespace": "🌍 Cluster-Wide", "Role": "aks-secretproviderclasses-viewer-role", "Type": "ClusterRole", "Issue": "⚠️ Unused ClusterRole", "Severity": "Low", "Recommendation": "Delete the unused ClusterRole to reduce clutter." }, { "Namespace": "🌍 Cluster-Wide", "Role": "eraser-imagejob-pods-cluster-role", "Type": "ClusterRole", "Issue": "🚩 No rules defined", "Severity": "Low", "Recommendation": "Delete the ClusterRole or define rules to make it effective." } ], "Total": 4 }, "HPA": { "Items": [], "Total": 0 }, "servicesWithoutEndpoints": { "Items": [ { "Namespace": "kube-system", "Service": "extension-agent-metrics-service", "Type": "ClusterIP", "Status": "⚠️ No Endpoints" }, { "Namespace": "kube-system", "Service": "extension-operator-metrics-service", "Type": "ClusterIP", "Status": "⚠️ No Endpoints" }, { "Namespace": "kube-system", "Service": "network-observability", "Type": "ClusterIP", "Status": "⚠️ No Endpoints" } ], "Total": 3 }, "privilegedContainers": { "Items": [ { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7ghbq", "Container": "secrets-store" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-dg79g", "Container": "secrets-store" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-h8s4k", "Container": "secrets-store" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-hpc6x", "Container": "secrets-store" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-v7qxk", "Container": "secrets-store" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-xf5d4", "Container": "secrets-store" }, { "Namespace": "kube-system", "Pod": "ama-logs-cz28v", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-cz28v", "Container": "ama-logs-prometheus" }, { "Namespace": "kube-system", "Pod": "ama-logs-d92qr", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-d92qr", "Container": "ama-logs-prometheus" }, { "Namespace": "kube-system", "Pod": "ama-logs-qlh7j", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-qlh7j", "Container": "ama-logs-prometheus" }, { "Namespace": "kube-system", "Pod": "ama-logs-rqbvf", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-rqbvf", "Container": "ama-logs-prometheus" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-22kzv", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-x4x2r", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-x4x2r", "Container": "ama-logs-prometheus" }, { "Namespace": "kube-system", "Pod": "ama-logs-zxwzq", "Container": "ama-logs" }, { "Namespace": "kube-system", "Pod": "ama-logs-zxwzq", "Container": "ama-logs-prometheus" }, { "Namespace": "kube-system", "Pod": "kube-proxy-22hgl", "Container": "kube-proxy" }, { "Namespace": "kube-system", "Pod": "kube-proxy-8dlr6", "Container": "kube-proxy" }, { "Namespace": "kube-system", "Pod": "kube-proxy-fh5fr", "Container": "kube-proxy" }, { "Namespace": "kube-system", "Pod": "kube-proxy-gb78q", "Container": "kube-proxy" }, { "Namespace": "kube-system", "Pod": "kube-proxy-mb2c4", "Container": "kube-proxy" }, { "Namespace": "kube-system", "Pod": "kube-proxy-nq2sj", "Container": "kube-proxy" } ], "Total": 25 }, "deploymentIssues": { "Items": [], "Total": 0 }, "nodeResources": { "Items": [ { "Node": "aks-systempool-19995743-vmss00000m", "CPU %": "8.68%", "CPU Used": "165 mC", "CPU Total": "1900 mC", "CPU Status": "✅ Normal", "Mem %": "48.65%", "Mem Used": "3178 Mi", "Mem Total": "6533 Mi", "Mem Status": "✅ Normal", "Disk %": "48%", "Disk Status": "✅ Normal" }, { "Node": "aks-systempool-19995743-vmss00000n", "CPU %": "10.26%", "CPU Used": "195 mC", "CPU Total": "1900 mC", "CPU Status": "✅ Normal", "Mem %": "43.50%", "Mem Used": "2842 Mi", "Mem Total": "6533 Mi", "Mem Status": "✅ Normal", "Disk %": "43%", "Disk Status": "✅ Normal" }, { "Node": "aks-systempool-19995743-vmss00000o", "CPU %": "7.42%", "CPU Used": "141 mC", "CPU Total": "1900 mC", "CPU Status": "✅ Normal", "Mem %": "50.11%", "Mem Used": "3274 Mi", "Mem Total": "6533 Mi", "Mem Status": "🟡 Warning", "Disk %": "50%", "Disk Status": "✅ Normal" }, { "Node": "aks-workloadpool-10479701-vmss00000e", "CPU %": "5.13%", "CPU Used": "198 mC", "CPU Total": "3860 mC", "CPU Status": "✅ Normal", "Mem %": "25.03%", "Mem Used": "3651 Mi", "Mem Total": "14584 Mi", "Mem Status": "✅ Normal", "Disk %": "25%", "Disk Status": "✅ Normal" }, { "Node": "aks-workloadpool-10479701-vmss00000f", "CPU %": "3.47%", "CPU Used": "134 mC", "CPU Total": "3860 mC", "CPU Status": "✅ Normal", "Mem %": "14.01%", "Mem Used": "2043 Mi", "Mem Total": "14584 Mi", "Mem Status": "✅ Normal", "Disk %": "14%", "Disk Status": "✅ Normal" }, { "Node": "aks-workloadpool-10479701-vmss00000g", "CPU %": "3.19%", "CPU Used": "123 mC", "CPU Total": "3860 mC", "CPU Status": "✅ Normal", "Mem %": "12.25%", "Mem Used": "1786 Mi", "Mem Total": "14584 Mi", "Mem Status": "✅ Normal", "Disk %": "12%", "Disk Status": "✅ Normal" } ], "Total": 6, "Warnings": 1 }, "crashloop": { "Items": [], "Total": 0 }, "rbacMisconfig": { "Items": [ { "Namespace": "kube-system", "Type": "🔹 Namespace Role", "RoleBinding": "system::leader-locking-kube-controller-manager", "Subject": "ServiceAccount/kube-controller-manager", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the RoleBinding to reference an existing ServiceAccount." }, { "Namespace": "kube-system", "Type": "🔹 Namespace Role", "RoleBinding": "system::leader-locking-kube-scheduler", "Subject": "ServiceAccount/kube-scheduler", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the RoleBinding to reference an existing ServiceAccount." }, { "Namespace": "kube-system", "Type": "🔹 Namespace Role", "RoleBinding": "system:controller:cloud-provider", "Subject": "ServiceAccount/cloud-provider", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the RoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "istio-reader-clusterrole-asm-1-23-aks-istio-system", "Subject": "ServiceAccount/istio-reader-service-account", "Issue": "❌ ServiceAccount does not exist in namespace aks-istio-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "secretproviderrotation-rolebinding", "Subject": "ServiceAccount/secrets-store-csi-driver", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "system:azure-cloud-provider", "Subject": "ServiceAccount/azure-cloud-provider", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "system:azure-cloud-provider-secret-getter", "Subject": "ServiceAccount/azure-cloud-provider", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "system:controller:route-controller", "Subject": "ServiceAccount/route-controller", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "system:controller:service-controller", "Subject": "ServiceAccount/service-controller", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." }, { "Namespace": "🌍 Cluster-Wide", "Type": "🔸 Cluster Role", "RoleBinding": "system:kube-dns", "Subject": "ServiceAccount/kube-dns", "Issue": "❌ ServiceAccount does not exist in namespace kube-system", "Severity": "High", "Recommendation": "Create the missing ServiceAccount or update the ClusterRoleBinding to reference an existing ServiceAccount." } ], "Total": 10 }, "publicServices": { "Items": [ { "Namespace": "aks-istio-ingress", "Service": "aks-istio-ingressgateway-external", "Type": "LoadBalancer", "Ports": "15021/TCP, 80/TCP, 443/TCP", "ExternalIP": "131.145.32.126" }, { "Namespace": "app-routing-system", "Service": "nginx", "Type": "LoadBalancer", "Ports": "80/TCP, 443/TCP", "ExternalIP": "4.250.59.60" }, { "Namespace": "pets", "Service": "store-front", "Type": "LoadBalancer", "Ports": "80/TCP", "ExternalIP": "85.210.102.171" }, { "Namespace": "test", "Service": "simple-service", "Type": "NodePort", "Ports": "8080/TCP", "ExternalIP": "None" } ], "Total": 4 }, "namespaceLimitRanges": { "Items": [ { "Namespace": "1", "Issue": "❌ No LimitRange defined" }, { "Namespace": "10", "Issue": "❌ No LimitRange defined" }, { "Namespace": "2", "Issue": "❌ No LimitRange defined" }, { "Namespace": "3", "Issue": "❌ No LimitRange defined" }, { "Namespace": "4", "Issue": "❌ No LimitRange defined" }, { "Namespace": "5", "Issue": "❌ No LimitRange defined" }, { "Namespace": "6", "Issue": "❌ No LimitRange defined" }, { "Namespace": "7", "Issue": "❌ No LimitRange defined" }, { "Namespace": "8", "Issue": "❌ No LimitRange defined" }, { "Namespace": "9", "Issue": "❌ No LimitRange defined" }, { "Namespace": "aks-istio-egress", "Issue": "❌ No LimitRange defined" }, { "Namespace": "aks-istio-ingress", "Issue": "❌ No LimitRange defined" }, { "Namespace": "aks-istio-system", "Issue": "❌ No LimitRange defined" }, { "Namespace": "app-routing-system", "Issue": "❌ No LimitRange defined" }, { "Namespace": "argo-rollouts", "Issue": "❌ No LimitRange defined" }, { "Namespace": "argo-workflows", "Issue": "❌ No LimitRange defined" }, { "Namespace": "argocd", "Issue": "❌ No LimitRange defined" }, { "Namespace": "cert-manager", "Issue": "❌ No LimitRange defined" }, { "Namespace": "default", "Issue": "❌ No LimitRange defined" }, { "Namespace": "gatekeeper-system", "Issue": "❌ No LimitRange defined" }, { "Namespace": "grafana", "Issue": "❌ No LimitRange defined" }, { "Namespace": "kiali-operator", "Issue": "❌ No LimitRange defined" }, { "Namespace": "kube-node-lease", "Issue": "❌ No LimitRange defined" }, { "Namespace": "kube-public", "Issue": "❌ No LimitRange defined" }, { "Namespace": "kube-system", "Issue": "❌ No LimitRange defined" }, { "Namespace": "kubeview", "Issue": "❌ No LimitRange defined" }, { "Namespace": "linkerd", "Issue": "❌ No LimitRange defined" }, { "Namespace": "nginx", "Issue": "❌ No LimitRange defined" }, { "Namespace": "pets", "Issue": "❌ No LimitRange defined" }, { "Namespace": "prometheus", "Issue": "❌ No LimitRange defined" }, { "Namespace": "sealed-secrets", "Issue": "❌ No LimitRange defined" }, { "Namespace": "test", "Issue": "❌ No LimitRange defined" } ], "Total": 32 }, "podFail": { "Items": { "Namespace": "kube-system", "Pod": "eraser-aks-systempool-19995743-vmss00000n-ck6hm", "Reason": "UnexpectedAdmissionError", "Message": "Pod was rejected: Unexpected error while attempting to recover from admission failure: preemption: error finding a set of pods to preempt: no set of running pods found to reclaim resources: [(res: cpu, q: 38), ]" }, "Total": 1 }, "AKSBestPractices": null, "PDB": { "Items": [ { "Namespace": "app-routing-system", "Name": "nginx", "Kind": "PDB", "Issue": "⚠️ maxUnavailable = 100%" }, { "Namespace": "argo-rollouts", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argo-workflows", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-applicationset-controller", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-dex-server", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-notifications-controller", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-redis-ha-haproxy", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-repo-server", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-server", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "cert-manager", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "grafana", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "kiali-operator", "Name": "kiali", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "kiali-operator", "Name": "kiali-operator", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "kubeview", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "linkerd", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "nginx", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "order-service", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "product-service", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "store-front", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "prometheus", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "sealed-secrets", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "test", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-application-controller", "Kind": "StatefulSet", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-redis-ha-server", "Kind": "StatefulSet", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "rabbitmq", "Kind": "StatefulSet", "Issue": "❌ No matching PDB" } ], "Total": 25 }, "podPending": { "Items": [], "Total": 0 }, "unmountedPV": { "Items": [], "Total": 0 }, "podsRestart": { "Items": [], "Total": 0 }, "statefulSetIssues": { "Items": [], "Total": 0 }, "daemonSetIssues": { "Items": [], "Total": 0 }, "stuckJobs": null, "podLongRunning": { "Items": [], "Total": 0 }, "nodeConditions": { "Total": 6, "NotReady": 0, "Items": [ { "Node": "aks-systempool-19995743-vmss00000m", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-systempool-19995743-vmss00000n", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-systempool-19995743-vmss00000o", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-workloadpool-10479701-vmss00000e", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-workloadpool-10479701-vmss00000f", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-workloadpool-10479701-vmss00000g", "Status": "✅ Healthy", "Issues": "None" } ] }, "eventSummary": { "TotalWarnings": 0, "Summary": [], "Events": [] }, "missingProbes": { "Items": [ { "Namespace": "aks-istio-ingress", "Workload": "aks-istio-ingressgateway-external-asm-1-23", "Kind": "Deployment", "Container": "istio-proxy", "Missing": "readiness, liveness" }, { "Namespace": "aks-istio-system", "Workload": "istiod-asm-1-23", "Kind": "Deployment", "Container": "discovery", "Missing": "liveness" }, { "Namespace": "argo-rollouts", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "argo-workflows", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-applicationset-controller", "Kind": "Deployment", "Container": "argocd-applicationset-controller", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-dex-server", "Kind": "Deployment", "Container": "dex", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-notifications-controller", "Kind": "Deployment", "Container": "argocd-notifications-controller", "Missing": "readiness" }, { "Namespace": "cert-manager", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "grafana", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "ama-logs-rs", "Kind": "Deployment", "Container": "ama-logs", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics", "Kind": "Deployment", "Container": "prometheus-collector", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics", "Kind": "Deployment", "Container": "addon-token-adapter", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-operator-targets", "Kind": "Deployment", "Container": "targetallocator", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-operator-targets", "Kind": "Deployment", "Container": "config-reader", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "coredns-autoscaler", "Kind": "Deployment", "Container": "autoscaler", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "extension-agent", "Kind": "Deployment", "Container": "extension-agent", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "extension-agent", "Kind": "Deployment", "Container": "fluent-bit", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "extension-operator", "Kind": "Deployment", "Container": "manager", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "extension-operator", "Kind": "Deployment", "Container": "fluent-bit", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "konnectivity-agent-autoscaler", "Kind": "Deployment", "Container": "autoscaler", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "metrics-server", "Kind": "Deployment", "Container": "metrics-server-vpa", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-collector-misc", "Kind": "Deployment", "Container": "microsoft-defender-pod-collector", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "vpa-admission-controller", "Kind": "Deployment", "Container": "admission-controller", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "vpa-recommender", "Kind": "Deployment", "Container": "recommender", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "vpa-updater", "Kind": "Deployment", "Container": "updater", "Missing": "readiness, liveness" }, { "Namespace": "kubeview", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "linkerd", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "nginx", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "prometheus", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "sealed-secrets", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "test", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-application-controller", "Kind": "StatefulSet", "Container": "argocd-application-controller", "Missing": "liveness" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-server", "Kind": "StatefulSet", "Container": "split-brain-fix", "Missing": "readiness, liveness" }, { "Namespace": "pets", "Workload": "rabbitmq", "Kind": "StatefulSet", "Container": "rabbitmq", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver", "Kind": "DaemonSet", "Container": "node-driver-registrar", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver", "Kind": "DaemonSet", "Container": "secrets-store", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver", "Kind": "DaemonSet", "Container": "liveness-probe", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver-windows", "Kind": "DaemonSet", "Container": "node-driver-registrar", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver-windows", "Kind": "DaemonSet", "Container": "secrets-store", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver-windows", "Kind": "DaemonSet", "Container": "liveness-probe", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-provider-azure", "Kind": "DaemonSet", "Container": "provider-azure-installer", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-provider-azure-windows", "Kind": "DaemonSet", "Container": "provider-azure-installer", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-logs", "Kind": "DaemonSet", "Container": "ama-logs", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-logs", "Kind": "DaemonSet", "Container": "ama-logs-prometheus", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-logs-windows", "Kind": "DaemonSet", "Container": "ama-logs-windows", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-node", "Kind": "DaemonSet", "Container": "prometheus-collector", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-node", "Kind": "DaemonSet", "Container": "addon-token-adapter", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-win-node", "Kind": "DaemonSet", "Container": "prometheus-collector", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-win-node", "Kind": "DaemonSet", "Container": "addon-token-adapter-win", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "azure-ip-masq-agent", "Kind": "DaemonSet", "Container": "azure-ip-masq-agent", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "azure-npm", "Kind": "DaemonSet", "Container": "azure-npm", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "cloud-node-manager", "Kind": "DaemonSet", "Container": "cloud-node-manager", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "cloud-node-manager-windows", "Kind": "DaemonSet", "Container": "cloud-node-manager", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "kube-proxy", "Kind": "DaemonSet", "Container": "kube-proxy", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-collector-ds", "Kind": "DaemonSet", "Container": "microsoft-defender-pod-collector", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-collector-ds", "Kind": "DaemonSet", "Container": "microsoft-defender-low-level-collector", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-publisher-ds", "Kind": "DaemonSet", "Container": "microsoft-defender-publisher", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "retina-agent", "Kind": "DaemonSet", "Container": "retina", "Missing": "liveness" }, { "Namespace": "kube-system", "Workload": "retina-agent-win", "Kind": "DaemonSet", "Container": "retinawin", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "windows-kube-proxy-initializer", "Kind": "DaemonSet", "Container": "pause", "Missing": "readiness, liveness" } ], "Total": 60 }, "jobFail": null }, "metadata": { "generatedAt": "2025-04-14T13:54:48Z", "kubernetesVersion": "v1.30.11", "aks": { "id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-0402-dev-uks/providers/Microsoft.ContainerService/managedClusters/aks-0402-dev-uks", "location": "uksouth", "name": "aks-0402-dev-uks", "tags": { "Customer": "0402", "Environment": "dev", "LastDeployedBy": "Richard.Hooper@pixelrobots.co.uk", "LastUpdatedOn": "04/02/2025" }, "type": "Microsoft.ContainerService/ManagedClusters", "properties": { "provisioningState": "Succeeded", "powerState": { "code": "Running" }, "kubernetesVersion": "1.30.11", "currentKubernetesVersion": "1.30.11", "dnsPrefix": "aks-0402-dev-uks", "fqdn": "aks-0402-dev-uks-okv6e22w.hcp.uksouth.azmk8s.io", "azurePortalFQDN": "aks-0402-dev-uks-okv6e22w.portal.hcp.uksouth.azmk8s.io", "agentPoolProfiles": [ { "name": "systempool", "count": 3, "vmSize": "Standard_D2ds_v5", "osDiskSizeGB": 70, "osDiskType": "Ephemeral", "kubeletDiskType": "OS", "workloadRuntime": "OCIContainer", "vnetSubnetID": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourceGroups/rg-aks-0402-dev-uks/providers/Microsoft.Network/virtualNetworks/vnet-0402-dev-uks/subnets/snet-aks-resources", "maxPods": 50, "type": "VirtualMachineScaleSets", "availabilityZones": [ "1", "2", "3" ], "maxCount": 5, "minCount": 3, "enableAutoScaling": true, "scaleDownMode": "Delete", "provisioningState": "Succeeded", "powerState": { "code": "Running" }, "orchestratorVersion": "1.30.11", "currentOrchestratorVersion": "1.30.11", "enableNodePublicIP": false, "tags": { "Customer": "0402", "Environment": "dev", "LastDeployedBy": "Richard.Hooper@pixelrobots.co.uk", "LastUpdatedOn": "04/02/2025" }, "nodeLabels": { "nodetype": "system" }, "nodeTaints": [ "CriticalAddonsOnly=true:NoSchedule" ], "mode": "System", "enableEncryptionAtHost": false, "enableUltraSSD": false, "osType": "Linux", "osSKU": "AzureLinux", "nodeImageVersion": "AKSAzureLinux-V2gen2-202504.02.0", "upgradeSettings": { "maxSurge": "10%" }, "enableFIPS": false, "securityProfile": { "enableVTPM": false, "enableSecureBoot": false } }, { "name": "workloadpool", "count": 3, "vmSize": "Standard_D4ds_v5", "osDiskSizeGB": 70, "osDiskType": "Ephemeral", "kubeletDiskType": "OS", "vnetSubnetID": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourceGroups/rg-aks-0402-dev-uks/providers/Microsoft.Network/virtualNetworks/vnet-0402-dev-uks/subnets/snet-aks-resources", "maxPods": 50, "type": "VirtualMachineScaleSets", "availabilityZones": [ "1", "2", "3" ], "maxCount": 12, "minCount": 1, "enableAutoScaling": true, "scaleDownMode": "Delete", "provisioningState": "Succeeded", "powerState": { "code": "Running" }, "orchestratorVersion": "1.30.11", "currentOrchestratorVersion": "1.30.11", "enableNodePublicIP": false, "tags": { "Customer": "0402", "Environment": "dev", "LastDeployedBy": "Richard.Hooper@pixelrobots.co.uk", "LastUpdatedOn": "04/02/2025" }, "mode": "User", "enableEncryptionAtHost": false, "enableUltraSSD": false, "osType": "Linux", "osSKU": "AzureLinux", "nodeImageVersion": "AKSAzureLinux-V2gen2-202504.02.0", "upgradeSettings": {}, "enableFIPS": false, "securityProfile": { "enableVTPM": false, "enableSecureBoot": false } } ], "windowsProfile": { "adminUsername": "azureuser", "enableCSIProxy": true }, "servicePrincipalProfile": { "clientId": "msi" }, "addonProfiles": { "aciConnectorLinux": { "enabled": false, "config": {} }, "azureKeyvaultSecretsProvider": { "enabled": true, "config": { "enableSecretRotation": "true" }, "identity": { "resourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurekeyvaultsecretsprovider-aks-0402-dev-uks", "clientId": "33cd05e6-e21f-499d-8eaa-e0a4fe944209", "objectId": "5cb84804-0ec3-43c1-a3ec-4aa370a849e9" } }, "azurepolicy": { "enabled": true, "config": { "version": "v2" }, "identity": { "resourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurepolicy-aks-0402-dev-uks", "clientId": "7dd24ec2-87c4-49c5-8e54-856e99e98d37", "objectId": "3b51aafc-947a-4dde-bc74-e34009b356c0" } }, "extensionManager": { "enabled": true, "config": null, "identity": { "resourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/extensionmanager-aks-0402-dev-uks", "clientId": "aeb9ea13-379d-47c0-88a3-3cd4a8050b11", "objectId": "2c1dc30c-b46a-4c8b-9d61-eb4a33128d68" } }, "httpApplicationRouting": { "enabled": false, "config": null }, "ingressApplicationGateway": { "enabled": false, "config": null }, "kubeDashboard": { "enabled": false, "config": null }, "omsagent": { "enabled": true, "config": { "logAnalyticsWorkspaceResourceID": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourceGroups/rg-monitoring-0402-dev-uks/providers/Microsoft.OperationalInsights/workspaces/ws-aks-0402-dev-uks" }, "identity": { "resourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/omsagent-aks-0402-dev-uks", "clientId": "07a57f6c-d628-4c7b-b55b-68565aabb6f5", "objectId": "5da3aad1-0808-4133-a4f8-5ffeeb8b85ef" } }, "openServiceMesh": { "enabled": false, "config": null } }, "nodeResourceGroup": "rg-aks-nodes-0402-dev-uks", "enableRBAC": true, "enablePodSecurityPolicy": false, "supportPlan": "KubernetesOfficial", "networkProfile": { "networkPlugin": "azure", "networkPolicy": "azure", "networkDataplane": "azure", "loadBalancerSku": "standard", "loadBalancerProfile": { "managedOutboundIPs": { "count": 1 }, "effectiveOutboundIPs": [ { "id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourceGroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.Network/publicIPAddresses/cc3be770-5fa8-47ee-afb8-6c7b875ad974" } ], "backendPoolType": "nodeIP" }, "serviceCidr": "172.16.0.0/24", "dnsServiceIP": "172.16.0.10", "outboundType": "loadBalancer", "serviceCidrs": [ "172.16.0.0/24" ], "ipFamilies": [ "IPv4" ] }, "aadProfile": { "managed": true, "adminGroupObjectIDs": [ "e591c663-c79c-47a4-94b8-f646b8647046" ], "adminUsers": null, "enableAzureRBAC": true, "tenantID": "d8171bb5-a0de-40a6-afdf-8b569cf6dbb8" }, "maxAgentPools": 100, "identityProfile": { "kubeletidentity": { "resourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-0402-dev-uks-agentpool", "clientId": "6734db78-f28f-4b22-b64e-f5d618a5587b", "objectId": "e2ea25b7-da90-497b-a678-32589c6c4c16" } }, "autoScalerProfile": { "balance-similar-node-groups": "false", "daemonset-eviction-for-empty-nodes": false, "daemonset-eviction-for-occupied-nodes": true, "expander": "random", "ignore-daemonsets-utilization": false, "max-empty-bulk-delete": "10", "max-graceful-termination-sec": "600", "max-node-provision-time": "15m", "max-total-unready-percentage": "45", "new-pod-scale-up-delay": "0s", "ok-total-unready-count": "3", "scale-down-delay-after-add": "10m", "scale-down-delay-after-delete": "10s", "scale-down-delay-after-failure": "3m", "scale-down-unneeded-time": "10m", "scale-down-unready-time": "20m", "scale-down-utilization-threshold": "0.5", "scan-interval": "10s", "skip-nodes-with-local-storage": "false", "skip-nodes-with-system-pods": "true" }, "autoUpgradeProfile": { "upgradeChannel": "patch", "nodeOSUpgradeChannel": "NodeImage" }, "podIdentityProfile": { "allowNetworkPluginKubenet": false }, "disableLocalAccounts": true, "securityProfile": { "defender": { "logAnalyticsWorkspaceResourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourceGroups/rg-monitoring-0402-dev-uks/providers/Microsoft.OperationalInsights/workspaces/ws-aks-0402-dev-uks", "securityMonitoring": { "enabled": true } }, "imageCleaner": { "enabled": true, "intervalHours": 168 }, "workloadIdentity": { "enabled": true } }, "storageProfile": { "diskCSIDriver": { "enabled": false }, "fileCSIDriver": { "enabled": false }, "snapshotController": { "enabled": false }, "blobCSIDriver": { "enabled": false } }, "publicNetworkAccess": "Enabled", "oidcIssuerProfile": { "enabled": true, "issuerURL": "https://uksouth.oic.prod-aks.azure.com/d8171bb5-a0de-40a6-afdf-8b569cf6dbb8/79d223da-9c3d-47f2-89c9-7941a0cbabe7/" }, "ingressProfile": { "webAppRouting": { "enabled": true, "dnsZoneResourceIds": null, "identity": { "resourceId": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-nodes-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/webapprouting-aks-0402-dev-uks", "clientId": "5282f73f-a384-4024-bca0-e68ec2eba48b", "objectId": "12ea4dd2-0069-4a0a-ba34-edbe3ecbdde1" }, "nginx": { "defaultIngressControllerType": "AnnotationControlled" } } }, "workloadAutoScalerProfile": { "keda": { "enabled": true }, "verticalPodAutoscaler": { "enabled": true } }, "azureMonitorProfile": { "metrics": { "enabled": true, "kubeStateMetrics": { "metricLabelsAllowlist": "", "metricAnnotationsAllowList": "" } } }, "resourceUID": "67a2676fa14f1a0001d1b85a", "serviceMeshProfile": { "mode": "Istio", "istio": { "components": { "ingressGateways": [ { "mode": "External", "enabled": true } ] }, "revisions": [ "asm-1-23" ] } }, "metricsProfile": { "costAnalysis": { "enabled": false } }, "bootstrapProfile": { "artifactSource": "Direct" } }, "identity": { "type": "UserAssigned", "userAssignedIdentities": { "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourceGroups/rg-aks-0402-dev-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-aks-0402-dev-uks-control": { "clientId": "69ca4f0c-8725-4c6a-81c2-b937b03e10cc", "principalId": "ed817eff-6790-4bde-81b8-2a21644a5f87" } } }, "sku": { "name": "Base", "tier": "Standard" }, "KubeData": { "Constraints": [ { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV1BlockDefault", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", "azure-policy-definition-reference-id": "KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect", "azure-policy-definition-version": "4.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev1blockdefault-154760fb0fc19d848eee", "resourceVersion": "20030153", "uid": "6bf71805-d353-43d0-9076-88c019f37789" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod", "Service", "ServiceAccount" ] } ], "namespaces": [ "default" ], "source": "Original" } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "6bf71805-d353-43d0-9076-88c019f37789", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "6bf71805-d353-43d0-9076-88c019f37789", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "6bf71805-d353-43d0-9076-88c019f37789", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV1IngressHttpsOnly", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", "azure-policy-definition-reference-id": "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect", "azure-policy-definition-version": "8.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev1ingresshttpsonly-be199c622b35c9637110", "resourceVersion": "20030159", "uid": "a0a922d4-6643-4981-a697-b0e32bbb005d" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "extensions", "networking.k8s.io" ], "kinds": [ "Ingress" ] } ], "source": "Original" } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "a0a922d4-6643-4981-a697-b0e32bbb005d", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "a0a922d4-6643-4981-a697-b0e32bbb005d", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "a0a922d4-6643-4981-a697-b0e32bbb005d", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV1ServiceAllowedPorts", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44", "azure-policy-definition-reference-id": "allowedServicePortsInKubernetesCluster", "azure-policy-definition-version": "8.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:56Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev1serviceallowedports-9ed9c489d85822b72098", "resourceVersion": "20030158", "uid": "a8f051d8-de99-478a-90a5-c32c2518707e" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Service" ] } ], "source": "Original" }, "parameters": { "allowedPorts": [ "-1" ] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "a8f051d8-de99-478a-90a5-c32c2518707e", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "a8f051d8-de99-478a-90a5-c32c2518707e", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "a8f051d8-de99-478a-90a5-c32c2518707e", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 39, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 8080 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service store-front has not been allowed.", "name": "store-front", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 5672 for service rabbitmq has not been allowed.", "name": "rabbitmq", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 15672 for service rabbitmq has not been allowed.", "name": "rabbitmq", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 3002 for service product-service has not been allowed.", "name": "product-service", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 3000 for service order-service has not been allowed.", "name": "order-service", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 9090 for service kiali has not been allowed.", "name": "kiali", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 20001 for service kiali has not been allowed.", "name": "kiali", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 8083 for service argocd-server-metrics has not been allowed.", "name": "argocd-server-metrics", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service argocd-server has not been allowed.", "name": "argocd-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 443 for service argocd-server has not been allowed.", "name": "argocd-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 8084 for service argocd-repo-server has not been allowed.", "name": "argocd-repo-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 8081 for service argocd-repo-server has not been allowed.", "name": "argocd-repo-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 9101 for service argocd-redis-ha-haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 6379 for service argocd-redis-ha-haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 6379 for service argocd-redis-ha-announce-2 has not been allowed.", "name": "argocd-redis-ha-announce-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 26379 for service argocd-redis-ha-announce-2 has not been allowed.", "name": "argocd-redis-ha-announce-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 6379 for service argocd-redis-ha-announce-1 has not been allowed.", "name": "argocd-redis-ha-announce-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 26379 for service argocd-redis-ha-announce-1 has not been allowed.", "name": "argocd-redis-ha-announce-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 6379 for service argocd-redis-ha-announce-0 has not been allowed.", "name": "argocd-redis-ha-announce-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 26379 for service argocd-redis-ha-announce-0 has not been allowed.", "name": "argocd-redis-ha-announce-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 6379 for service argocd-redis-ha has not been allowed.", "name": "argocd-redis-ha", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 26379 for service argocd-redis-ha has not been allowed.", "name": "argocd-redis-ha", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 9001 for service argocd-notifications-controller-metrics has not been allowed.", "name": "argocd-notifications-controller-metrics", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 8082 for service argocd-metrics has not been allowed.", "name": "argocd-metrics", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 5558 for service argocd-dex-server has not been allowed.", "name": "argocd-dex-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 5557 for service argocd-dex-server has not been allowed.", "name": "argocd-dex-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 5556 for service argocd-dex-server has not been allowed.", "name": "argocd-dex-server", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 8080 for service argocd-applicationset-controller has not been allowed.", "name": "argocd-applicationset-controller", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 7000 for service argocd-applicationset-controller has not been allowed.", "name": "argocd-applicationset-controller", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Service", "message": "Port 80 for service simple-service has not been allowed.", "name": "simple-service", "namespace": "argo-rollouts", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2BlockAutomountToken", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423", "azure-policy-definition-reference-id": "KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect", "azure-policy-definition-version": "4.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2blockautomounttoken-ff33418731bab1b5bddb", "resourceVersion": "20030155", "uid": "7fb8b0d0-9409-445c-9ab6-5d3a3ebd91c7" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "7fb8b0d0-9409-445c-9ab6-5d3a3ebd91c7", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "7fb8b0d0-9409-445c-9ab6-5d3a3ebd91c7", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "7fb8b0d0-9409-445c-9ab6-5d3a3ebd91c7", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 25, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-lgft6", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-66bwl", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-6r55l", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: store-front-658994fd95-8b7jr", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: rabbitmq-0", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: product-service-5dd87dfb8-h4495", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: order-service-6c5bfb6946-9jjrw", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-hf4dd", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-5bztq", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-9d5gt", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: kiali-operator-696bd54db-cv6fc", "name": "kiali-operator-696bd54db-cv6fc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: kiali-5b88cfb6f8-9wxkc", "name": "kiali-5b88cfb6f8-9wxkc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-f52jv", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-ps8ll", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-server-5df7b9f58d-rrxzz", "name": "argocd-server-5df7b9f58d-rrxzz", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-server-5df7b9f58d-7s5qh", "name": "argocd-server-5df7b9f58d-7s5qh", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-redis-ha-haproxy-fb657456c-wl84v", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-redis-ha-haproxy-fb657456c-shwm7", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-redis-ha-haproxy-fb657456c-kj4kv", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-notifications-controller-6ff6bf8dd6-2jmv8", "name": "argocd-notifications-controller-6ff6bf8dd6-2jmv8", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-dex-server-556c76889-kspcg", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-applicationset-controller-6fdf84dbb6-dxmmk", "name": "argocd-applicationset-controller-6fdf84dbb6-dxmmk", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: argocd-application-controller-0", "name": "argocd-application-controller-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-xh6fc", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Automounting service account token is disallowed, pod: simple-deployment-74fd649f8d-6nsqn", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2BlockHostNamespace", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", "azure-policy-definition-reference-id": "NoSharingSensitiveHostNamespacesInKubernetes", "azure-policy-definition-version": "5.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:54Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2blockhostnamespace-0e3a9611637f9c6c45ff", "resourceVersion": "20030169", "uid": "63113f34-c3ce-4a3a-9adf-837e88a86952" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "63113f34-c3ce-4a3a-9adf-837e88a86952", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "63113f34-c3ce-4a3a-9adf-837e88a86952", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "63113f34-c3ce-4a3a-9adf-837e88a86952", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2BlockHostNamespace", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-0402-dev-uks/providers/Microsoft.Authorization/policyAssignments/aks-Baseline-0402-dev-uks", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", "azure-policy-definition-reference-id": "BlockUsingHostProcessIDAndIPC", "azure-policy-definition-version": "5.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d", "azure-policy-set-definition-version": "1.4.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:38:55Z", "generation": 5, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2blockhostnamespace-9c5fd489a7d626489fac", "resourceVersion": "20030170", "uid": "2c5c5ba1-3551-4095-a135-9b03647e5d60" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "2c5c5ba1-3551-4095-a135-9b03647e5d60", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 5, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "2c5c5ba1-3551-4095-a135-9b03647e5d60", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "2c5c5ba1-3551-4095-a135-9b03647e5d60", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2ContainerAllowedImages", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469", "azure-policy-definition-reference-id": "ensureAllowedContainerImagesInKubernetesCluster", "azure-policy-definition-version": "9.3.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 2, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2containerallowedimag-7c18ca50a667ab7d9aec", "resourceVersion": "20030166", "uid": "1988df34-80cb-436b-9ed3-b25f5b14234b" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "imageRegex": "^acr0402devuks\\.azurecr\\.io.*$|^acr2905devuks\\.azurecr\\.io.*$|^acr270125devuks\\.azurecr\\.io.*$|^acr270125testuks\\.azurecr\\.io.*$|^acr210125testuks\\.azurecr\\.io.*$|^acr111224testuks\\.azurecr\\.io.*$|^acr1112testuks\\.azurecr\\.io.*$|^acr2811fixtestuks\\.azurecr\\.io.*$|^acr2811maintestuks\\.azurecr\\.io.*$|^acr2811demotestuks\\.azurecr\\.io.*$|^acr2811demodevuks\\.azurecr\\.io.*$|^acr2811devuks\\.azurecr\\.io.*$|^acr2811testuks\\.azurecr\\.io.*$|^acr2611testeus\\.azurecr\\.io.*$|^acr2610testeus\\.azurecr\\.io.*$|^acr2510testeus\\.azurecr\\.io.*$|^acr1610testuks\\.azurecr\\.io.*$|^acr1909testuks\\.azurecr\\.io.*$|^acr1709testuks\\.azurecr\\.io.*$|^acrpe3testuks\\.azurecr\\.io.*$|^acraro4testuks\\.azurecr\\.io.*$|^registry\\.k8s\\.io/.*$|^ghcr\\.io/kedacore.*$|^mcr\\.microsoft\\.com/azure-cli.*$|^debian:buster.*$|^quay\\.io/oauth2-proxy.*$" } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "1988df34-80cb-436b-9ed3-b25f5b14234b", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 2, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "1988df34-80cb-436b-9ed3-b25f5b14234b", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 2, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "1988df34-80cb-436b-9ed3-b25f5b14234b", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 2, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 57, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image ghcr.io/azure-samples/aks-store-demo/store-front:latest for container store-front has not been allowed.", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-management-alpine for container rabbitmq has not been allowed.", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image ghcr.io/azure-samples/aks-store-demo/product-service:latest for container product-service has not been allowed.", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image ghcr.io/azure-samples/aks-store-demo/order-service:latest for container order-service has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image busybox for container wait-for-rabbitmq has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image quay.io/kiali/kiali-operator:v2.7.1 for container operator has not been allowed.", "name": "kiali-operator-696bd54db-cv6fc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image quay.io/kiali/kiali:v2.7.1 for container kiali has not been allowed.", "name": "kiali-5b88cfb6f8-9wxkc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-server has not been allowed.", "name": "argocd-server-5df7b9f58d-rrxzz", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-server has not been allowed.", "name": "argocd-server-5df7b9f58d-7s5qh", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container copyutil has not been allowed.", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-repo-server has not been allowed.", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container copyutil has not been allowed.", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-repo-server has not been allowed.", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container split-brain-fix has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container sentinel has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container redis has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container config-init has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container split-brain-fix has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container sentinel has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container redis has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container config-init has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container split-brain-fix has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container sentinel has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container redis has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container config-init has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container config-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container secret-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container config-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container secret-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container config-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container secret-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-notifications-controller has not been allowed.", "name": "argocd-notifications-controller-6ff6bf8dd6-2jmv8", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/dexidp/dex:v2.41.1 for container dex has not been allowed.", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container copyutil has not been allowed.", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-applicationset-controller has not been allowed.", "name": "argocd-applicationset-controller-6fdf84dbb6-dxmmk", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-application-controller has not been allowed.", "name": "argocd-application-controller-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2ContainerAllowedImages", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/aks-trusted-registry-asc-tr2-test-uks", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469", "azure-policy-definition-reference-id": "", "azure-policy-definition-version": "9.3.0", "azure-policy-set-definition-id": "", "azure-policy-set-definition-version": "", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2containerallowedimag-81d727851e6a9391ccb7", "resourceVersion": "20030167", "uid": "7e95781b-b1c6-4e79-a986-87b06672143d" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "imageRegex": "^acrasctr2testuks.azurecr.io.*$|^registry.k8s.io/.*$|^ghcr.io/kedacore.*$|^mcr.microsoft.com/azure-cli.*$|^debian:buster.*$|^quay.io/oauth2-proxy.*$" } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "7e95781b-b1c6-4e79-a986-87b06672143d", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "7e95781b-b1c6-4e79-a986-87b06672143d", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "7e95781b-b1c6-4e79-a986-87b06672143d", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 57, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image ghcr.io/azure-samples/aks-store-demo/store-front:latest for container store-front has not been allowed.", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-management-alpine for container rabbitmq has not been allowed.", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image ghcr.io/azure-samples/aks-store-demo/product-service:latest for container product-service has not been allowed.", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-proxy has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless for container istio-init has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image ghcr.io/azure-samples/aks-store-demo/order-service:latest for container order-service has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image busybox for container wait-for-rabbitmq has not been allowed.", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image quay.io/kiali/kiali-operator:v2.7.1 for container operator has not been allowed.", "name": "kiali-operator-696bd54db-cv6fc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image quay.io/kiali/kiali:v2.7.1 for container kiali has not been allowed.", "name": "kiali-5b88cfb6f8-9wxkc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-server has not been allowed.", "name": "argocd-server-5df7b9f58d-rrxzz", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-server has not been allowed.", "name": "argocd-server-5df7b9f58d-7s5qh", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container copyutil has not been allowed.", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-repo-server has not been allowed.", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container copyutil has not been allowed.", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-repo-server has not been allowed.", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container split-brain-fix has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container sentinel has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container redis has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container config-init has not been allowed.", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container split-brain-fix has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container sentinel has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container redis has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container config-init has not been allowed.", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container split-brain-fix has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container sentinel has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container redis has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 for container config-init has not been allowed.", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container config-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container secret-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container config-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container secret-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container haproxy has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 for container config-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container secret-init has not been allowed.", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-notifications-controller has not been allowed.", "name": "argocd-notifications-controller-6ff6bf8dd6-2jmv8", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/dexidp/dex:v2.41.1 for container dex has not been allowed.", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container copyutil has not been allowed.", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-applicationset-controller has not been allowed.", "name": "argocd-applicationset-controller-6fdf84dbb6-dxmmk", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 for container argocd-application-controller has not been allowed.", "name": "argocd-application-controller-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container image docker.io/kostiscodefresh/gitops-simple-app:v1.0 for container webserver-simple has not been allowed.", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2NoPrivilege", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-0402-dev-uks/providers/Microsoft.Authorization/policyAssignments/aks-Baseline-0402-dev-uks", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", "azure-policy-definition-reference-id": "NoPrivilegedContainers", "azure-policy-definition-version": "9.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d", "azure-policy-set-definition-version": "1.4.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:38:55Z", "generation": 5, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2noprivilege-8debdaaf494f5858ba0a", "resourceVersion": "20030151", "uid": "846dd1a7-9734-4d97-a55d-5add1c0a9700" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "846dd1a7-9734-4d97-a55d-5add1c0a9700", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 5, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "846dd1a7-9734-4d97-a55d-5add1c0a9700", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "846dd1a7-9734-4d97-a55d-5add1c0a9700", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV2NoPrivilege", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", "azure-policy-definition-reference-id": "privilegedContainersShouldBeAvoided", "azure-policy-definition-version": "9.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev2noprivilege-c026b8dcf46113a1d587", "resourceVersion": "20030173", "uid": "6be38cf2-7650-4933-87aa-4c48a42e248e" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "6be38cf2-7650-4933-87aa-4c48a42e248e", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "6be38cf2-7650-4933-87aa-4c48a42e248e", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "6be38cf2-7650-4933-87aa-4c48a42e248e", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3AllowedCapabilities", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-0402-dev-uks/providers/Microsoft.Authorization/policyAssignments/aks-Baseline-0402-dev-uks", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", "azure-policy-definition-reference-id": "ContainerCapabilities", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d", "azure-policy-set-definition-version": "1.4.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:38:55Z", "generation": 5, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3allowedcapabilities-01525b03dc4912849505", "resourceVersion": "20030157", "uid": "cae55d0b-88ba-4f4f-91e9-168c1d7c053b" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowedCapabilities": [ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "MKNOD", "NET_RAW", "SETGID", "SETUID", "SETFCAP", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", "AUDIT_WRITE" ], "excludedContainers": [], "excludedImages": [], "requiredDropCapabilities": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "cae55d0b-88ba-4f4f-91e9-168c1d7c053b", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 5, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "cae55d0b-88ba-4f4f-91e9-168c1d7c053b", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "cae55d0b-88ba-4f4f-91e9-168c1d7c053b", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 4, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are [\"CHOWN\", \"DAC_OVERRIDE\", \"FSETID\", \"FOWNER\", \"MKNOD\", \"NET_RAW\", \"SETGID\", \"SETUID\", \"SETFCAP\", \"SETPCAP\", \"NET_BIND_SERVICE\", \"SYS_CHROOT\", \"KILL\", \"AUDIT_WRITE\"]", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are [\"CHOWN\", \"DAC_OVERRIDE\", \"FSETID\", \"FOWNER\", \"MKNOD\", \"NET_RAW\", \"SETGID\", \"SETUID\", \"SETFCAP\", \"SETPCAP\", \"NET_BIND_SERVICE\", \"SYS_CHROOT\", \"KILL\", \"AUDIT_WRITE\"]", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are [\"CHOWN\", \"DAC_OVERRIDE\", \"FSETID\", \"FOWNER\", \"MKNOD\", \"NET_RAW\", \"SETGID\", \"SETUID\", \"SETFCAP\", \"SETPCAP\", \"NET_BIND_SERVICE\", \"SYS_CHROOT\", \"KILL\", \"AUDIT_WRITE\"]", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are [\"CHOWN\", \"DAC_OVERRIDE\", \"FSETID\", \"FOWNER\", \"MKNOD\", \"NET_RAW\", \"SETGID\", \"SETUID\", \"SETFCAP\", \"SETPCAP\", \"NET_BIND_SERVICE\", \"SYS_CHROOT\", \"KILL\", \"AUDIT_WRITE\"]", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3AllowedCapabilities", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", "azure-policy-definition-reference-id": "AllowedCapabilitiesInKubernetesCluster", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:54Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3allowedcapabilities-b51327eb590c724ae88a", "resourceVersion": "20030174", "uid": "33c490e8-e473-4604-9126-9015eaddebb6" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowedCapabilities": [], "excludedContainers": [], "excludedImages": [], "requiredDropCapabilities": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "33c490e8-e473-4604-9126-9015eaddebb6", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "33c490e8-e473-4604-9126-9015eaddebb6", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "33c490e8-e473-4604-9126-9015eaddebb6", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 4, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are []", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are []", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are []", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <istio-init> has a disallowed capability. Allowed capabilities are []", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3AllowedUsersGroups", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042", "azure-policy-definition-reference-id": "MustRunAsNonRoot", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3allowedusersgroups-2cb3ccbb789ebdd1869a", "resourceVersion": "20030152", "uid": "5dafbb4a-aabd-4229-abbd-75a12da7a572" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "excludedImages": [], "fsGroup": { "ranges": [ { "max": -1, "min": 1 } ], "rule": "MayRunAs" }, "runAsGroup": { "ranges": [ { "max": -1, "min": 1 } ], "rule": "MustRunAs" }, "runAsUser": { "ranges": [], "rule": "MustRunAsNonRoot" }, "supplementalGroups": { "ranges": [ { "max": -1, "min": 1 } ], "rule": "MayRunAs" } } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "5dafbb4a-aabd-4229-abbd-75a12da7a572", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "5dafbb4a-aabd-4229-abbd-75a12da7a572", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "5dafbb4a-aabd-4229-abbd-75a12da7a572", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 72, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container store-front is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container store-front is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed user 0. Allowed runAsUser: {\"ranges\": [], \"rule\": \"MustRunAsNonRoot\"}", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed group 0. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container rabbitmq is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container rabbitmq is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed user 0. Allowed runAsUser: {\"ranges\": [], \"rule\": \"MustRunAsNonRoot\"}", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed group 0. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container product-service is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container product-service is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed user 0. Allowed runAsUser: {\"ranges\": [], \"rule\": \"MustRunAsNonRoot\"}", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed group 0. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container wait-for-rabbitmq is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container wait-for-rabbitmq is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container order-service is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container order-service is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed user 0. Allowed runAsUser: {\"ranges\": [], \"rule\": \"MustRunAsNonRoot\"}", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container istio-init is attempting to run as disallowed group 0. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container operator is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "kiali-operator-696bd54db-cv6fc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container kiali is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "kiali-5b88cfb6f8-9wxkc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-server is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-server-5df7b9f58d-rrxzz", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-server is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-server-5df7b9f58d-7s5qh", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container copyutil is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-repo-server is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container copyutil is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-repo-server is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container split-brain-fix is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container sentinel is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container redis is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container config-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container split-brain-fix is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container sentinel is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container redis is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container config-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container split-brain-fix is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container sentinel is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container redis is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container config-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container secret-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container haproxy is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container config-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container secret-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container haproxy is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container config-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container secret-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container haproxy is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container config-init is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-notifications-controller is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-notifications-controller-6ff6bf8dd6-2jmv8", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container dex is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container copyutil is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-applicationset-controller is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-applicationset-controller-6fdf84dbb6-dxmmk", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container argocd-application-controller is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "argocd-application-controller-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Container webserver-simple is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {\"ranges\": [{\"max\": -1, \"min\": 1}], \"rule\": \"MustRunAs\"}", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3ContainerLimits", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164", "azure-policy-definition-reference-id": "memoryAndCPULimitsInKubernetesCluster", "azure-policy-definition-version": "9.3.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:54Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3containerlimits-53d4a426a9d80480a2de", "resourceVersion": "20030156", "uid": "ac3fcb02-2e1f-4477-aa2f-d5d9df6aad9b" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "cpuLimit": "32", "excludedContainers": [], "excludedImages": [], "memoryLimit": "64Gi" } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "ac3fcb02-2e1f-4477-aa2f-d5d9df6aad9b", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "ac3fcb02-2e1f-4477-aa2f-d5d9df6aad9b", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "ac3fcb02-2e1f-4477-aa2f-d5d9df6aad9b", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 44, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <operator> has no resource limits", "name": "kiali-operator-696bd54db-cv6fc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <kiali> has no cpu limit", "name": "kiali-5b88cfb6f8-9wxkc", "namespace": "kiali-operator", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-server> has no resource limits", "name": "argocd-server-5df7b9f58d-rrxzz", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-server> has no resource limits", "name": "argocd-server-5df7b9f58d-7s5qh", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <copyutil> has no resource limits", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-repo-server> has no resource limits", "name": "argocd-repo-server-8568fc89b5-q2tbb", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <copyutil> has no resource limits", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-repo-server> has no resource limits", "name": "argocd-repo-server-8568fc89b5-8r5mv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <split-brain-fix> has no resource limits", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <sentinel> has no resource limits", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <redis> has no resource limits", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <config-init> has no resource limits", "name": "argocd-redis-ha-server-2", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <split-brain-fix> has no resource limits", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <sentinel> has no resource limits", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <redis> has no resource limits", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <config-init> has no resource limits", "name": "argocd-redis-ha-server-1", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <split-brain-fix> has no resource limits", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <sentinel> has no resource limits", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <redis> has no resource limits", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <config-init> has no resource limits", "name": "argocd-redis-ha-server-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <secret-init> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <haproxy> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <config-init> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-wl84v", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <secret-init> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <haproxy> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <config-init> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-shwm7", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <secret-init> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <haproxy> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <config-init> has no resource limits", "name": "argocd-redis-ha-haproxy-fb657456c-kj4kv", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-notifications-controller> has no resource limits", "name": "argocd-notifications-controller-6ff6bf8dd6-2jmv8", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <dex> has no resource limits", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <copyutil> has no resource limits", "name": "argocd-dex-server-556c76889-kspcg", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-applicationset-controller> has no resource limits", "name": "argocd-applicationset-controller-6fdf84dbb6-dxmmk", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <argocd-application-controller> has no resource limits", "name": "argocd-application-controller-0", "namespace": "argocd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "container <webserver-simple> has no resource limits", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" } ] } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3DisallowedCapabilities", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626", "azure-policy-definition-reference-id": "KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect", "azure-policy-definition-version": "5.1.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:54Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3disallowedcapabiliti-40f26632f25a27c26f16", "resourceVersion": "20030175", "uid": "cb229608-9506-4c1c-b90b-0ea285039082" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "disallowedCapabilities": [ "SYS_ADMIN" ], "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "cb229608-9506-4c1c-b90b-0ea285039082", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "cb229608-9506-4c1c-b90b-0ea285039082", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "cb229608-9506-4c1c-b90b-0ea285039082", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3EnforceAppArmor", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e", "azure-policy-definition-reference-id": "AllowedAppArmorProfilesInKubernetesCluster", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:54Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3enforceapparmor-7679c589518d93b5c7e7", "resourceVersion": "20030154", "uid": "79d5763a-be12-442e-b6cb-ea7b15582af3" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowedProfiles": [ "runtime/default" ], "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "79d5763a-be12-442e-b6cb-ea7b15582af3", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "79d5763a-be12-442e-b6cb-ea7b15582af3", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "79d5763a-be12-442e-b6cb-ea7b15582af3", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3HostFilesystem", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75", "azure-policy-definition-reference-id": "AllowedHostPathVolumesInKubernetesCluster", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3hostfilesystem-8305600d080e9ad2c327", "resourceVersion": "20030160", "uid": "0655a874-11b8-4822-85ef-935a11c3f897" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowedHostPaths": [], "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "0655a874-11b8-4822-85ef-935a11c3f897", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "0655a874-11b8-4822-85ef-935a11c3f897", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "0655a874-11b8-4822-85ef-935a11c3f897", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3HostFilesystem", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-0402-dev-uks/providers/Microsoft.Authorization/policyAssignments/aks-Baseline-0402-dev-uks", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75", "azure-policy-definition-reference-id": "NoHostPathVolume", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d", "azure-policy-set-definition-version": "1.4.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:38:55Z", "generation": 5, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3hostfilesystem-c69805faac2a58931904", "resourceVersion": "20030162", "uid": "4109e574-88ce-4641-ab47-f488c8d90c65" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowedHostPaths": [], "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "4109e574-88ce-4641-ab47-f488c8d90c65", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 5, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "4109e574-88ce-4641-ab47-f488c8d90c65", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "4109e574-88ce-4641-ab47-f488c8d90c65", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3HostNetworkingPorts", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/resourcegroups/rg-aks-0402-dev-uks/providers/Microsoft.Authorization/policyAssignments/aks-Baseline-0402-dev-uks", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe", "azure-policy-definition-reference-id": "BlockUsingHostNetwork", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d", "azure-policy-set-definition-version": "1.4.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:38:55Z", "generation": 5, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3hostnetworkingports-57394a5938175881fac7", "resourceVersion": "20030172", "uid": "f49febe9-24e1-4673-bf31-b2ea20e91907" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowHostNetwork": false, "excludedContainers": [], "excludedImages": [], "maxPort": 0, "minPort": 0 } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "f49febe9-24e1-4673-bf31-b2ea20e91907", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 5, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "f49febe9-24e1-4673-bf31-b2ea20e91907", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "f49febe9-24e1-4673-bf31-b2ea20e91907", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 5, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3HostNetworkingPorts", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe", "azure-policy-definition-reference-id": "AllowedHostNetworkingAndPortsInKubernetesCluster", "azure-policy-definition-version": "6.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3hostnetworkingports-c25fdf2df8bc425a78f8", "resourceVersion": "20030150", "uid": "0c1c8d6c-ac7e-4629-81ba-bf6e9cae6c51" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "allowHostNetwork": false, "excludedContainers": [], "excludedImages": [], "maxPort": 0, "minPort": 0 } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "0c1c8d6c-ac7e-4629-81ba-bf6e9cae6c51", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "0c1c8d6c-ac7e-4629-81ba-bf6e9cae6c51", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "0c1c8d6c-ac7e-4629-81ba-bf6e9cae6c51", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3NoPrivilegeEscalation", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", "azure-policy-definition-reference-id": "NoPrivilegeEscalationInKubernetesCluster", "azure-policy-definition-version": "7.2.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:55Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3noprivilegeescalatio-95e6de6242430760e899", "resourceVersion": "20030164", "uid": "93a09a86-526d-41b1-9682-29c00c9df7ee" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "93a09a86-526d-41b1-9682-29c00c9df7ee", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "93a09a86-526d-41b1-9682-29c00c9df7ee", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "93a09a86-526d-41b1-9682-29c00c9df7ee", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 0 } }, { "apiVersion": "constraints.gatekeeper.sh/v1beta1", "kind": "K8sAzureV3ReadOnlyRootFilesystem", "metadata": { "annotations": { "azure-policy-assignment-id": "/subscriptions/ee360ac1-ac8d-45c9-9bcf-76d19ae08a33/providers/Microsoft.Authorization/policyAssignments/securitycenterbuiltin", "azure-policy-definition-id": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80", "azure-policy-definition-reference-id": "ReadOnlyRootFileSystemInKubernetesCluster", "azure-policy-definition-version": "6.3.0", "azure-policy-set-definition-id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "azure-policy-set-definition-version": "57.49.0", "constraint-installed-by": "azure-policy-addon" }, "creationTimestamp": "2025-02-04T19:23:54Z", "generation": 1, "labels": { "managed-by": "azure-policy-addon" }, "name": "azurepolicy-k8sazurev3readonlyrootfilesyst-9d4e42e87722f6a7f5d3", "resourceVersion": "20030168", "uid": "a1855773-5e5d-4905-bb9b-10f51b398343" }, "spec": { "enforcementAction": "dryrun", "match": { "excludedNamespaces": [ "kube-system", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system" ], "kinds": [ { "apiGroups": [ "" ], "kinds": [ "Pod" ] } ], "source": "Original" }, "parameters": { "excludedContainers": [], "excludedImages": [] } }, "status": { "auditTimestamp": "2025-04-14T13:53:39Z", "byPod": [ { "constraintUID": "a1855773-5e5d-4905-bb9b-10f51b398343", "enforced": true, "id": "gatekeeper-audit-77858c8f69-ft76n", "observedGeneration": 1, "operations": [ "audit", "generate", "mutation-status", "status" ] }, { "constraintUID": "a1855773-5e5d-4905-bb9b-10f51b398343", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-5tggw", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] }, { "constraintUID": "a1855773-5e5d-4905-bb9b-10f51b398343", "enforced": true, "id": "gatekeeper-controller-6f97954b4b-t4rtc", "observedGeneration": 1, "operations": [ "mutation-webhook", "webhook" ] } ], "totalViolations": 19, "violations": [ { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-lgft6', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-lgft6", "namespace": "test", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-66bwl', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-66bwl", "namespace": "sealed-secrets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-6r55l', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-6r55l", "namespace": "prometheus", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'store-front-658994fd95-8b7jr', container:'store-front'", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'store-front-658994fd95-8b7jr', container:'istio-init'", "name": "store-front-658994fd95-8b7jr", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'rabbitmq-0', container:'rabbitmq'", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'rabbitmq-0', container:'istio-init'", "name": "rabbitmq-0", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'product-service-5dd87dfb8-h4495', container:'product-service'", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'product-service-5dd87dfb8-h4495', container:'istio-init'", "name": "product-service-5dd87dfb8-h4495", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'order-service-6c5bfb6946-9jjrw', container:'wait-for-rabbitmq'", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'order-service-6c5bfb6946-9jjrw', container:'order-service'", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'order-service-6c5bfb6946-9jjrw', container:'istio-init'", "name": "order-service-6c5bfb6946-9jjrw", "namespace": "pets", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-hf4dd', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-hf4dd", "namespace": "nginx", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-5bztq', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-5bztq", "namespace": "linkerd", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-9d5gt', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-9d5gt", "namespace": "kubeview", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-f52jv', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-f52jv", "namespace": "grafana", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-ps8ll', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-ps8ll", "namespace": "cert-manager", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-xh6fc', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-xh6fc", "namespace": "argo-workflows", "version": "v1" }, { "enforcementAction": "dryrun", "group": "", "kind": "Pod", "message": "Readonly root filesystem is required for container. pod:'simple-deployment-74fd649f8d-6nsqn', container:'webserver-simple'", "name": "simple-deployment-74fd649f8d-6nsqn", "namespace": "argo-rollouts", "version": "v1" } ] } } ] } }, "clusterName": "aks-0402-dev-uks", "score": 54.6 } } |