Within my deployment I have high priority security recommendations from azure kubernetes deployment. I have some issues dealing with them as the rasa x helmchart doesn’t provide some parameters to solve these issues. Such as
Running containers as root user should be avoided Remediation
- From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers missing the ‘MustRunAsNonRoot’ rule.
- For these pods, ensure the runAsUser property is set to a non-zero value. Trying to set runAsNotRoot to true will result in a deployment error.
- After making your changes, redeploy the pod with the updated rule. And adding it does not change anything
RunAsUser parameter is not found in the following pods
This parameter is not found in the rasa-x values file of all of these pods
rasa-x worker production nginx event-service duckling db-migration app
Kubernetes Clusters Should Disable Automounting API Credentials Solution adding the following parameter resolves it automountServiceAccountToken: false
These pods once again do not have that value Postgresql (postgresql 8.6.13 · bitnami/bitnami) rabbitmq (rabbitmq 6.19.2 · bitnami/bitnami) redis (redis 10.5.14 · bitnami/bitnami)
Overriding or disabling of containers AppArmor profile should be restricted solution
annotations: container.apparmor.security.beta.kubernetes.io/v5: runtime/default
problem: Annotations not available for all except rabbitmq