Kubernetes Security Assessment Report

4 container(s) have 5+ restarts, indicating instability or repeated failure

• burpsuite/cnpg-burpsuite-db-cluster-3/postgres (restarts=16)
• external-secrets/test-external-secrets-7bf9df4688-ccst9/external-secrets (restarts=25)
• kube-system/openstack-cloud-controller-manager-dsl24/openstack-cloud-controller-manager (restarts=5)
• nats/test-nats-ui-nui-0/nui (restarts=14)

1 container(s) were recently OOMKilled - possible memory exhaustion

• kube-system/openstack-cinder-csi-nodeplugin-rxgn9/node-driver-registrar

3 running container(s) use :latest or no tag

• burpsuite/ubuntu-change-pvc-permissions-6l62k/ubuntu image=ubuntu:latest
• default/node-debugger-never-dev-sec-mdd-r9l6s-tpxjj-nbc5t/debugger image=busybox
• default/node-debugger-never-dev-sec-mdd-r9l6s-tpxjj-s86bq/debugger image=ubuntu

72 running container(s) lack both liveness and readiness probes

• argo-cd/argo-cd-argocd-applicationset-controller-85468f69dc-4mtbb/applicationset-controller
• argo-cd/argo-cd-argocd-applicationset-controller-85468f69dc-dxm2c/applicationset-controller
• argo-cd/argo-cd-argocd-applicationset-controller-85468f69dc-fd96n/applicationset-controller
• argo-cd/argo-cd-argocd-applicationset-controller-85468f69dc-pgs4p/applicationset-controller
• argo-cd/argo-cd-argocd-dex-server-57589b5c8b-mzjn2/dex-server
• argo-cd/argo-cd-argocd-notifications-controller-6cfc45b4fd-nlcxj/notifications-controller
• argo-cd/argo-cd-argocd-notifications-controller-6cfc45b4fd-vzptq/notifications-controller
• argo-cd/argo-cd-redis-ha-server-0/split-brain-fix
• argo-cd/argo-cd-redis-ha-server-1/split-brain-fix
• argo-cd/argo-cd-redis-ha-server-2/split-brain-fix
• cert-manager/cert-manager-cainjector-cf4f94f8c-vjf64/cert-manager-cainjector
• cert-manager/cert-manager-cainjector-cf4f94f8c-z8mc7/cert-manager-cainjector
• default/httpbin-56c54d77b8-9cd8d/httpbin
• delme-i862106/nginx-fips-667cc48df9-drhn6/nginx-fips
• external-secrets/test-external-secrets-7bf9df4688-ccst9/external-secrets
• falco/test-falco-4ttzt/falcoctl-artifact-follow
• falco/test-falco-5sbff/falcoctl-artifact-follow
• falco/test-falco-bw6sg/falcoctl-artifact-follow
• falco/test-falco-fm42l/falcoctl-artifact-follow
• falco/test-falco-hd8g7/falcoctl-artifact-follow

1 container(s) use IfNotPresent with mutable tags

• burpsuite/ubuntu-change-pvc-permissions-6l62k/ubuntu tag=latest policy=IfNotPresent

21 pod(s) have been in not-ready state for 5+ minutes

• burpsuite/cnpg-burpsuite-db-cluster-3 (unready 850m)
• burpsuite/cnpg-burpsuite-db-cluster-pooler-rw-785d5f97d5-hvmdq (unready 12832m)
• burpsuite/test-burpsuite-scan-controller-94bbdccbb-gvk7g (unready 10108m)
• cert-manager/cert-manager-cd6c7c6b9-k6w8l (unready 10108m)
• cert-manager/cert-manager-webhook-6d78ddb474-vzlwx (unready 10108m)
• falco/test-falco-hd8g7 (unready 14823m)
• ingress-nginx/ingress-nginx-controller-6f6f859569-tvfv4 (unready 192m)
• kube-system/cilium-envoy-j88lg (unready 10108m)
• kube-system/cilium-n5pl4 (unready 10108m)
• kube-system/csi-nfs-controller-68d68c78cc-zxsl5 (unready 10108m)
• kube-system/csi-nfs-node-c98gm (unready 10108m)
• kube-system/openstack-cinder-csi-nodeplugin-rxgn9 (unready 10108m)
• kyverno/kyverno-admission-controller-754b69b488-hcw7d (unready 10108m)
• kyverno/kyverno-background-controller-67f8c8b894-blxss (unready 10108m)
• kyverno/kyverno-cleanup-controller-6cd48b98bf-78g72 (unready 15950m)
• kyverno/kyverno-reports-controller-6476c4bd77-jc7mx (unready 10108m)
• nats/test-nats-ui-nui-0 (unready 55m)
• splunk/splunk-idxc-test-indexer-0 (unready 21214m)
• splunk/splunk-idxc-test-indexer-1 (unready 3604m)
• splunk/splunk-mc-test-monitoring-console-0 (unready 21214m)

1 deployment(s) have fewer available replicas than desired

• pgadmin4/test-pgadmin4 (desired=1, available=0)

33 pod(s) running 90+ days without restart

• argo-cd/argo-cd-argocd-application-controller-0 (age=129d)
• argo-cd/argo-cd-argocd-dex-server-57589b5c8b-mzjn2 (age=129d)
• argo-cd/argo-cd-redis-ha-server-1 (age=129d)
• k0s-system/k0s-pushgateway-6d8f9785c7-gxdrj (age=129d)
• kube-system/cilium-envoy-69kfp (age=129d)
• kube-system/cilium-envoy-7llfh (age=129d)
• kube-system/cilium-envoy-fzzwc (age=129d)
• kube-system/cilium-envoy-h4v62 (age=129d)
• kube-system/cilium-envoy-h66fl (age=129d)
• kube-system/cilium-envoy-hwb8b (age=129d)
• kube-system/cilium-envoy-j88lg (age=97d)
• kube-system/cilium-envoy-kp85x (age=129d)
• kube-system/cilium-envoy-l4j2g (age=129d)
• kube-system/cilium-envoy-rtnsv (age=129d)
• kube-system/cilium-envoy-wgmdf (age=129d)
• kube-system/cilium-envoy-xkncd (age=129d)
• kube-system/coredns-c8d757745-65n7g (age=129d)
• kube-system/coredns-c8d757745-rgq99 (age=129d)
• kube-system/openstack-cinder-csi-nodeplugin-4l47h (age=129d)
• kube-system/openstack-cinder-csi-nodeplugin-5ggkt (age=129d)

54 warning event(s) in the last hour

• argo-cd/argo-cd-argocd-repo-server: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• argo-cd/argo-cd-argocd-repo-server: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• argo-cd/argo-cd-argocd-repo-server: FailedComputeMetricsReplicas - invalid metrics (2 invalid out of 2), first error is: failed to get memory resou
• argo-cd/argo-cd-argocd-repo-server: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• argo-cd/argo-cd-argocd-repo-server: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• argo-cd/argo-cd-argocd-repo-server: FailedComputeMetricsReplicas - invalid metrics (2 invalid out of 2), first error is: failed to get memory resou
• argo-cd/argo-cd-argocd-repo-server: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• argo-cd/argo-cd-argocd-repo-server: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• argo-cd/argo-cd-argocd-server: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• argo-cd/argo-cd-argocd-server: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• argo-cd/argo-cd-argocd-server: FailedComputeMetricsReplicas - invalid metrics (2 invalid out of 2), first error is: failed to get memory resou
• argo-cd/argo-cd-argocd-server: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• argo-cd/argo-cd-argocd-server: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• argo-cd/argo-cd-argocd-server: FailedComputeMetricsReplicas - invalid metrics (2 invalid out of 2), first error is: failed to get memory resou
• argo-cd/argo-cd-argocd-server: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• argo-cd/argo-cd-argocd-server: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• burpsuite/cnpg-burpsuite-db-cluster-3: Unhealthy - Startup probe failed: HTTP probe failed with statuscode: 500
• -/never-dev-sec-mdd-r9l6s-tpxjj: ContainerGCFailed - rpc error: code = DeadlineExceeded desc = context deadline exceeded
• -/never-dev-sec-mdd-r9l6s-tpxjj: ImageGCFailed - rpc error: code = DeadlineExceeded desc = context deadline exceeded
• default/node-debugger-never-dev-sec-mdd-r9l6s-tpxjj-nbc5t: FailedToRetrieveImagePullSecret - Unable to retrieve some image pull secrets (chainguard-registry-secret); attempt
• default/node-debugger-never-dev-sec-mdd-r9l6s-tpxjj-nbc5t: FailedCreatePodSandBox - Failed to create pod sandbox: rpc error: code = DeadlineExceeded desc = context
• default/node-debugger-never-dev-sec-mdd-r9l6s-tpxjj-s86bq: FailedToRetrieveImagePullSecret - Unable to retrieve some image pull secrets (chainguard-registry-secret); attempt
• default/node-debugger-never-dev-sec-mdd-r9l6s-tpxjj-s86bq: FailedCreatePodSandBox - Failed to create pod sandbox: rpc error: code = DeadlineExceeded desc = context
• -/pvc-e8e5049c-b3ff-413a-9c0f-4d13c6b88dd7: VolumeFailedDelete - persistentvolume pvc-e8e5049c-b3ff-413a-9c0f-4d13c6b88dd7 is still attached to n
• ingress-nginx/ingress-nginx-controller-6f6f859569-tvfv4: Unhealthy - Readiness probe failed: Get "http://100.250.1.113:10254/healthz": context deadli
• ingress-nginx/ingress-nginx-controller: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• ingress-nginx/ingress-nginx-controller: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to
• ingress-nginx/ingress-nginx-controller: FailedComputeMetricsReplicas - invalid metrics (2 invalid out of 2), first error is: failed to get memory resou
• ingress-nginx/ingress-nginx-controller: FailedGetResourceMetric - failed to get memory utilization: unable to get metrics for resource memory: una
• ingress-nginx/ingress-nginx-controller: FailedGetResourceMetric - failed to get cpu utilization: unable to get metrics for resource cpu: unable to

No pods have ephemeral debug containers attached

12 Falco pod(s) running