chore: Update manifests after change

2025-12-04 04:54:08 +00:00
parent dad1b4623c
commit bfe0e18539
2066 changed files with 378996 additions and 0 deletions
--- a/clusters/cl01tl/manifests/trivy/ClusterComplianceReport-k8s-pss-restricted-0.1
+++ b/clusters/cl01tl/manifests/trivy/ClusterComplianceReport-k8s-pss-restricted-0.1
@@ -0,0 +1,126 @@
+---
+# Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml
+apiVersion: aquasecurity.github.io/v1alpha1
+kind: ClusterComplianceReport
+metadata:
+  name: k8s-pss-restricted-0.1
+  labels:
+    app.kubernetes.io/name: trivy-operator
+    app.kubernetes.io/instance: trivy-operator
+    app.kubernetes.io/version: 0.29.0
+    app.kubernetes.io/managed-by: kubectl
+spec:
+  cron: "0 5 * * *"
+  reportType: "summary"
+  compliance:
+    id: k8s-pss-restricted-0.1
+    platform: k8s
+    type: pss-restricted
+    title: Kubernetes Pod Security Standards - Restricted
+    description: Kubernetes Pod Security Standards - Restricted
+    relatedResources:
+      - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+    version: "0.1"
+    controls:
+      - name: HostProcess
+        description: Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy
+        id: "1"
+        checks:
+          - id: AVD-KSV-0103
+        severity: HIGH
+      - name: Host Namespaces
+        description: Sharing the host namespaces must be disallowed.
+        id: "2"
+        checks:
+          - id: AVD-KSV-0008
+        severity: HIGH
+      - name: Privileged Containers
+        description: Privileged Pods disable most security mechanisms and must be disallowed.
+        id: "3"
+        checks:
+          - id: AVD-KSV-0017
+        severity: HIGH
+      - name: Capabilities
+        description: Adding additional capabilities beyond those listed below must be disallowed.
+        id: "4"
+        checks:
+          - id: AVD-KSV-0022
+        severity: MEDIUM
+      - name: HostPath Volumes
+        description: HostPath volumes must be forbidden.
+        id: "5"
+        checks:
+          - id: AVD-KSV-0023
+        severity: MEDIUM
+      - name: host ports
+        description: hostports should be disallowed, or at minimum restricted to a known list.
+        id: "6"
+        checks:
+          - id: avd-ksv-0024
+        severity: HIGH
+      - name: AppArmor
+        description: On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.
+        id: "7"
+        checks:
+          - id: avd-ksv-0002
+        severity: HIGH
+      - name: SELinux
+        description: Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.
+        id: "8"
+        checks:
+          - id: avd-ksv-0025
+        severity: MEDIUM
+      - name: /proc Mount Type
+        description: The default /proc masks are set up to reduce attack surface, and should be required.
+        id: "9"
+        checks:
+          - id: avd-ksv-0027
+        severity: MEDIUM
+      - name: Seccomp
+        description: Seccomp profile must not be explicitly set to Unconfined.
+        id: "10"
+        checks:
+          - id: avd-ksv-0104
+        severity: MEDIUM
+      - name: Sysctls
+        description: Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
+        id: "11"
+        checks:
+          - id: avd-ksv-0026
+        severity: MEDIUM
+      - name: Volume Types
+        description: The restricted policy only permits specific volume types.
+        id: "12"
+        checks:
+          - id: avd-ksv-0028
+        severity: LOW
+      - name: Privilege Escalation
+        description: Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.
+        id: "13"
+        checks:
+          - id: avd-ksv-0001
+        severity: MEDIUM
+      - name: Running as Non-root
+        description: Containers must be required to run as non-root users.
+        id: "14"
+        checks:
+          - id: avd-ksv-0012
+        severity: MEDIUM
+      - name: Running as Non-root user
+        description: Containers must not set runAsUser to 0
+        id: "15"
+        checks:
+          - id: avd-ksv-0105
+        severity: LOW
+      - name: Seccomp
+        description: Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited
+        id: "16"
+        checks:
+          - id: avd-ksv-0030
+        severity: LOW
+      - name: Capabilities
+        description: Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
+        id: "17"
+        checks:
+          - id: avd-ksv-0106
+        severity: LOW