How to fix SAST analysis issues reported for falco
Opened this issue · 9 comments
kristian-kirilov-rg commented
Motivation
Hi there, our company uses checkov to perform SAST analysis for our codebase.
I know some of these things are "by design" but how to handle with the rest?
Please check logs below.
Feature
Just add the required settings in the yaml manifest ...
Alternatives
or in case of they cannot be remediated - clearly state this in the documentation and provide detailed guide how to exclude them from the scanning.
Additional context
I have downloaded the helm chart from the official repository, unpacked the archive, used helm template to show the generated yaml files and scanned them with checkov. Please check here:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm pull falcosecurity/falco
tar -zxf falco-4.16.0.tgz && cd falco
helm template . > all-falco.yaml
docker run --rm --interactive --tty --entrypoint /bin/sh --volume "$(pwd)":/tf bridgecrew/checkov
cd /tf
Here are all the issues thrown by the checkov engine so far
root@6a5053301d6a:/tf# checkov -f all-falco.yaml
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By Prisma Cloud | version: 3.2.329
kubernetes scan results:
Passed checks: 78, Failed checks: 26, Skipped checks: 0
Check: CKV_K8S_41: "Ensure that default service accounts are not actively used"
PASSED for resource: ServiceAccount.default.release-name-falco
File: /all-falco.yaml:3-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-38
Check: CKV_K8S_157: "Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings"
PASSED for resource: Role.default.release-name-falco
File: /all-falco.yaml:182-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-bind-rolebindings-or-clusterrolebindings-are-minimized
Check: CKV_K8S_158: "Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles"
PASSED for resource: Role.default.release-name-falco
File: /all-falco.yaml:182-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-escalate-roles-or-clusterrole-are-minimized
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
PASSED for resource: Role.default.release-name-falco
File: /all-falco.yaml:182-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
PASSED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used
Check: CKV_K8S_148: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate-for-kubelet
Check: CKV_K8S_75: "Ensure that the --authorization-mode argument includes Node"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-includes-node
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24
Check: CKV_K8S_72: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate
Check: CKV_K8S_70: "Ensure that the --token-auth-file argument is not set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-token-auth-file-parameter-is-not-set
Check: CKV_K8S_94: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16
Check: CKV_K8S_102: "Ensure that the --etcd-cafile argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-etcd-cafile-argument-is-set-as-appropriate-1
Check: CKV_K8S_71: "Ensure that the --kubelet-https argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-https-argument-is-set-to-true
Check: CKV_K8S_96: "Ensure that the --service-account-lookup argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-lookup-argument-is-set-to-true
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31
Check: CKV_K8S_92: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate
Check: CKV_K8S_68: "Ensure that the --anonymous-auth argument is set to false"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25
Check: CKV_K8S_143: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-streaming-connection-idle-timeout-argument-is-not-set-to-0
Check: CKV_K8S_85: "Ensure that the admission control plugin NodeRestriction is set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-noderestriction-is-set
Check: CKV_K8S_84: "Ensure that the admission control plugin PodSecurityPolicy is set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-podsecuritypolicy-is-set
Check: CKV_K8S_86: "Ensure that the --insecure-bind-address argument is not set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-insecure-bind-address-argument-is-not-set
Check: CKV_K8S_18: "Containers should not share the host IPC namespace"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-17
Check: CKV_K8S_159: "Limit the use of git-sync to prevent code injection"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Check: CKV_K8S_141: "Ensure that the --read-only-port argument is set to 0"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-read-only-port-argument-is-set-to-0
Check: CKV_K8S_27: "Do not expose the docker daemon socket to containers"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-26
Check: CKV_K8S_39: "Do not use the CAP_SYS_ADMIN linux capability"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-36
Check: CKV_K8S_147: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture
Check: CKV_K8S_82: "Ensure that the admission control plugin ServiceAccount is set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-serviceaccount-is-set
Check: CKV_K8S_149: "Ensure that the --rotate-certificates argument is not set to false"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-rotate-certificates-argument-is-not-set-to-false
Check: CKV_K8S_81: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used
Check: CKV_K8S_105: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33
Check: CKV_K8S_114: "Ensure that the --profiling argument is set to false"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-1
Check: CKV_K8S_112: "Ensure that the RotateKubeletServerCertificate argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-for-controller-manager
Check: CKV_K8S_95: "Ensure that the --request-timeout argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-request-timeout-argument-is-set-as-appropriate
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13
Check: CKV_K8S_89: "Ensure that the --secure-port argument is not set to 0"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-secure-port-argument-is-not-set-to-0
Check: CKV_K8S_107: "Ensure that the --profiling argument is set to false"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false
Check: CKV_K8S_80: "Ensure that the admission control plugin AlwaysPullImages is set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set
Check: CKV_K8S_34: "Ensure that Tiller (Helm v2) is not deployed"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-32
Check: CKV_K8S_97: "Ensure that the --service-account-key-file argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-key-file-argument-is-set-as-appropriate
Check: CKV_K8S_88: "Ensure that the --insecure-port argument is set to 0"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-insecure-port-argument-is-set-to-0
Check: CKV_K8S_93: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate
Check: CKV_K8S_118: "Ensure that the --auto-tls argument is not set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-auto-tls-argument-is-not-set-to-true
Check: CKV_K8S_111: "Ensure that the --root-ca-file argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-root-ca-file-argument-is-set-as-appropriate
Check: CKV_K8S_106: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-terminated-pod-gc-threshold-argument-is-set-as-appropriate
Check: CKV_K8S_91: "Ensure that the --audit-log-path argument is set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set
Check: CKV_K8S_69: "Ensure that the --basic-auth-file argument is not set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-basic-auth-file-argument-is-not-set
Check: CKV_K8S_108: "Ensure that the --use-service-account-credentials argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-use-service-account-credentials-argument-is-set-to-true
Check: CKV_K8S_144: "Ensure that the --protect-kernel-defaults argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-protect-kernel-defaults-argument-is-set-to-true
Check: CKV_K8S_151: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers
Check: CKV_K8S_115: "Ensure that the --bind-address argument is set to 127.0.0.1"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-bind-address-argument-is-set-to-127001-1
Check: CKV_K8S_83: "Ensure that the admission control plugin NamespaceLifecycle is set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-namespacelifecycle-is-set
Check: CKV_K8S_119: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-peer-cert-file-and-peer-key-file-arguments-are-set-as-appropriate
Check: CKV_K8S_100: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate
Check: CKV_K8S_104: "Ensure that encryption providers are appropriately configured"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-etcd-cafile-argument-is-set-as-appropriate
Check: CKV_K8S_77: "Ensure that the --authorization-mode argument includes RBAC"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-includes-rbac
Check: CKV_K8S_99: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate
Check: CKV_K8S_110: "Ensure that the --service-account-private-key-file argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-private-key-file-argument-is-set-as-appropriate
Check: CKV_K8S_19: "Containers should not share the host network namespace"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18
Check: CKV_K8S_74: "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-is-not-set-to-alwaysallow-1
Check: CKV_K8S_90: "Ensure that the --profiling argument is set to false"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2
Check: CKV_K8S_146: "Ensure that the --hostname-override argument is not set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-hostname-override-argument-is-not-set
Check: CKV_K8S_117: "Ensure that the --client-cert-auth argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-client-cert-auth-argument-is-set-to-true
Check: CKV_K8S_139: "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-is-not-set-to-alwaysallow
Check: CKV_K8S_145: "Ensure that the --make-iptables-util-chains argument is set to true"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-make-iptables-util-chains-argument-is-set-to-true
Check: CKV_K8S_138: "Ensure that the --anonymous-auth argument is set to false"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false
Check: CKV_K8S_113: "Ensure that the --bind-address argument is set to 127.0.0.1"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-bind-address-argument-is-set-to-127001
Check: CKV_K8S_73: "Ensure that the --kubelet-certificate-authority argument is set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-certificate-authority-argument-is-set-as-appropriate
Check: CKV_K8S_79: "Ensure that the admission control plugin AlwaysAdmit is not set"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set
Check: CKV_K8S_116: "Ensure that the --cert-file and --key-file arguments are set as appropriate"
PASSED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-cert-file-and-key-file-arguments-are-set-as-appropriate
Check: CKV2_K8S_2: "Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation"
PASSED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/granting-create-permissions-to-nodesproxy-or-podsexec-sub-resources-allows-potential-privilege-escalation
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
PASSED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets
Check: CKV2_K8S_3: "No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts"
PASSED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-have-impersonate-permissions-for-groupsusersservice-accounts
Check: CKV2_K8S_4: "ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster."
PASSED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/serviceaccounts-and-nodes-potentially-exposed-to-cve-2020-8554
Check: CKV2_K8S_1: "RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding"
PASSED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/rolebinding-should-not-allow-privilege-escalation-to-a-serviceaccount-or-node-on-other-rolebinding
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.release-name-falco
File: /all-falco.yaml:3-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: release-name-falco
7 | namespace: default
8 | labels:
9 | helm.sh/chart: falco-4.16.0
10 | app.kubernetes.io/name: falco
11 | app.kubernetes.io/instance: release-name
12 | app.kubernetes.io/version: "0.39.2"
13 | app.kubernetes.io/managed-by: Helm
14 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.release-name-falco
File: /all-falco.yaml:16-145
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.release-name-falco-falcoctl
File: /all-falco.yaml:147-180
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20
147 | apiVersion: v1
148 | kind: ConfigMap
149 | metadata:
150 | name: release-name-falco-falcoctl
151 | namespace: default
152 | labels:
153 | helm.sh/chart: falco-4.16.0
154 | app.kubernetes.io/name: falco
155 | app.kubernetes.io/instance: release-name
156 | app.kubernetes.io/version: "0.39.2"
157 | app.kubernetes.io/managed-by: Helm
158 | data:
159 | falcoctl.yaml: |-
160 | artifact:
161 | allowedTypes:
162 | - rulesfile
163 | - plugin
164 | follow:
165 | every: 6h
166 | falcoversions: http://localhost:8765/versions
167 | pluginsDir: /plugins
168 | refs:
169 | - falco-rules:3
170 | rulesfilesDir: /rulesfiles
171 | install:
172 | pluginsDir: /plugins
173 | refs:
174 | - falco-rules:3
175 | resolveDeps: true
176 | rulesfilesDir: /rulesfiles
177 | indexes:
178 | - name: falcosecurity
179 | url: https://falcosecurity.github.io/falcoctl/index.yaml
180 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.release-name-falco
File: /all-falco.yaml:182-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20
182 | kind: Role
183 | apiVersion: rbac.authorization.k8s.io/v1
184 | metadata:
185 | name: release-name-falco
186 | labels:
187 | helm.sh/chart: falco-4.16.0
188 | app.kubernetes.io/name: falco
189 | app.kubernetes.io/instance: release-name
190 | app.kubernetes.io/version: "0.39.2"
191 | app.kubernetes.io/managed-by: Helm
192 | rules:
193 | - apiGroups:
194 | - ""
195 | resources:
196 | - configmaps
197 | verbs:
198 | - get
199 | - list
200 | - update
201 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20
203 | kind: RoleBinding
204 | apiVersion: rbac.authorization.k8s.io/v1
205 | metadata:
206 | name: release-name-falco
207 | labels:
208 | helm.sh/chart: falco-4.16.0
209 | app.kubernetes.io/name: falco
210 | app.kubernetes.io/instance: release-name
211 | app.kubernetes.io/version: "0.39.2"
212 | app.kubernetes.io/managed-by: Helm
213 | subjects:
214 | - kind: ServiceAccount
215 | name: release-name-falco
216 | namespace: default
217 | roleRef:
218 | kind: Role
219 | name: release-name-falco
220 | apiGroup: rbac.authorization.k8s.io
221 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_16: "Container should not be privileged"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-15
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.default.release-name-falco
File: /all-falco.yaml:223-452
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.release-name-falco
File: /all-falco.yaml:223-452
Code lines for this resource are too many. Please use IDE of your choice to review the file.
root@6a5053301d6a:/tf#
Issif commented
As your issue concerns the Helm chart and not directly falco's source code, can you recreate this issue in https://github.com/falcosecurity/charts, please.
We'll take care of the failed checks with @alacuku and even maybe verify the other charts at the same time
kristian-kirilov-rg commented
Great, thanks.
Will do it.
sgaist commented
@Issif wouldn't it be simpler to transfer this issue ?
Just in case, I tried but I may not have sufficient permissions to do that.
Issif commented
@Issif wouldn't it be simpler to transfer this issue ? Just in case, I tried but I may not have sufficient permissions to do that.
I can't either, let me see with the other maintainers.
alacuku commented
Hey @kristian-kirilov-rg ,
You are running the checkov tool on the default values. For example, all the messages regarding the default namespace would disappear if you changed it.
My suggestion is to configure Falco for your use case and then generate the manifests using the helm template command.
LucaGuerra commented
Transferred this to the charts repo.
kristian-kirilov-rg commented
Hey @kristian-kirilov-rg ,
You are running the
checkovtool on the default values. For example, all the messages regarding thedefaultnamespace would disappear if you changed it. My suggestion is to configure Falco for your use case and then generate the manifests using thehelm templatecommand.
I'm not sure what are you speaking about. We check the Kubernetes template, there is nothing related to the namespace.
The moment when somebody from our team upload such files into our git repository, all the files will be checked by checkov, then the issue will arise again.
alacuku commented
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.release-name-falco
File: /all-falco.yaml:3-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-203 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: release-name-falco 7 | namespace: default 8 | labels: 9 | helm.sh/chart: falco-4.16.0 10 | app.kubernetes.io/name: falco 11 | app.kubernetes.io/instance: release-name 12 | app.kubernetes.io/version: "0.39.2" 13 | app.kubernetes.io/managed-by: Helm 14 | ---Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.release-name-falco
File: /all-falco.yaml:16-145
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20Code lines for this resource are too many. Please use IDE of your choice to review the file.Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.release-name-falco-falcoctl
File: /all-falco.yaml:147-180
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20147 | apiVersion: v1 148 | kind: ConfigMap 149 | metadata: 150 | name: release-name-falco-falcoctl 151 | namespace: default 152 | labels: 153 | helm.sh/chart: falco-4.16.0 154 | app.kubernetes.io/name: falco 155 | app.kubernetes.io/instance: release-name 156 | app.kubernetes.io/version: "0.39.2" 157 | app.kubernetes.io/managed-by: Helm 158 | data: 159 | falcoctl.yaml: |- 160 | artifact: 161 | allowedTypes: 162 | - rulesfile 163 | - plugin 164 | follow: 165 | every: 6h 166 | falcoversions: http://localhost:8765/versions 167 | pluginsDir: /plugins 168 | refs: 169 | - falco-rules:3 170 | rulesfilesDir: /rulesfiles 171 | install: 172 | pluginsDir: /plugins 173 | refs: 174 | - falco-rules:3 175 | resolveDeps: true 176 | rulesfilesDir: /rulesfiles 177 | indexes: 178 | - name: falcosecurity 179 | url: https://falcosecurity.github.io/falcoctl/index.yaml 180 | ---Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.release-name-falco
File: /all-falco.yaml:182-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20182 | kind: Role 183 | apiVersion: rbac.authorization.k8s.io/v1 184 | metadata: 185 | name: release-name-falco 186 | labels: 187 | helm.sh/chart: falco-4.16.0 188 | app.kubernetes.io/name: falco 189 | app.kubernetes.io/instance: release-name 190 | app.kubernetes.io/version: "0.39.2" 191 | app.kubernetes.io/managed-by: Helm 192 | rules: 193 | - apiGroups: 194 | - "" 195 | resources: 196 | - configmaps 197 | verbs: 198 | - get 199 | - list 200 | - update 201 | ---Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.release-name-falco
File: /all-falco.yaml:203-221
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20203 | kind: RoleBinding 204 | apiVersion: rbac.authorization.k8s.io/v1 205 | metadata: 206 | name: release-name-falco 207 | labels: 208 | helm.sh/chart: falco-4.16.0 209 | app.kubernetes.io/name: falco 210 | app.kubernetes.io/instance: release-name 211 | app.kubernetes.io/version: "0.39.2" 212 | app.kubernetes.io/managed-by: Helm 213 | subjects: 214 | - kind: ServiceAccount 215 | name: release-name-falco 216 | namespace: default 217 | roleRef: 218 | kind: Role 219 | name: release-name-falco 220 | apiGroup: rbac.authorization.k8s.io 221 | ---
That's what I'm talking about. The messages clearly refer to resources using the default namespace.
kristian-kirilov-rg commented
I see, no worries, we can exclude these. But the list I showed you above is quite big :-)
So how to deal with the rest?