KICS Scan Vulnerabilities Found in emissary-crds.yml file

[jiteshonce]

I hope this message finds you well. I am writing to bring to your attention some critical vulnerability issues that we have identified in Emissary CRDs. These vulnerabilities pose significant risks to the security and integrity of our systems, and we believe it is imperative to address them promptly.

Through the use of the KICS tool (https://docs.kics.io/latest/getting-started/), we have identified several vulnerabilities within Emissary CRDs, including but not limited to:
,

• Privilege escalation allowed
• Containers running as root
• NET_RAW capabilities not being dropped
• Seccomp profile not configured
• No drop capabilities for containers
• Containers running with low UID
• Service account token automount not disabled
• RBAC wildcard in rule
• Deployment without PodDisruptionBudget

These vulnerabilities expose our systems to potential attacks, data breaches, and other security risks. Therefore, we urge the Emissary community to prioritize addressing these issues and releasing patches or updates to mitigate the risks associated with them.
We understand that ensuring the security of software is a collaborative effort, and we are committed to assisting in any way we can to resolve these vulnerabilities. We would appreciate timely communication from the Emissary community regarding the steps being taken to address these issues and any guidance on best practices for mitigating these vulnerabilities in the interim.
Thank you for your attention to this matter. We are seeking your support and guidance to ensure the continued security and reliability of Emissary CRDs.Best regards,

Here is the report generated after KICS Scan tool run on our directory, and file with path ../../path/one-time-setup/emissary-crds.yaml are the vulnerabilities related to emissary-crds .

results.json