Skip to content

remediator: Fix policy violations in apps/test/nginx-chart/templates/deployment.yaml#445

Open
nirmata[bot] wants to merge 2 commits intohelm_chartfrom
remediation-apps-test-nginx-chart-templates-deployment-yaml-helm_chart-13y4x8ig2d
Open

remediator: Fix policy violations in apps/test/nginx-chart/templates/deployment.yaml#445
nirmata[bot] wants to merge 2 commits intohelm_chartfrom
remediation-apps-test-nginx-chart-templates-deployment-yaml-helm_chart-13y4x8ig2d

Conversation

@nirmata
Copy link
Contributor

@nirmata nirmata bot commented Feb 10, 2026

Policy Violation Remediation

Cluster: remediator-host

Namespace: nginx-helm

File: apps/test/nginx-chart/templates/deployment.yaml

Remediation Results

Policy Name Explanation Runtime Impact Confidence
disallow-host-ports Changed hostPort from 81 to 0 to disable host port binding Service cannot bind to host ports - external access must use NodePort/LoadBalancer services high
disallow-capabilities-strict Replaced SYS_ADMIN capability with drop ALL to meet strict capability requirements Container will run with minimal capabilities - privileged operations will fail high
disallow-privilege-escalation Added allowPrivilegeEscalation: false to container security context Prevents privilege escalation attacks but may break applications requiring elevated permissions high
restrict-apparmor-profiles Removed unconfined AppArmor annotation by clearing podAnnotations Default AppArmor profile will be used - should not affect most applications high
disallow-privileged-containers Changed privileged from true to false in security context Container loses privileged access - kernel/hardware operations will fail high
restrict-volume-types Disabled hostPath volumes by setting volumes.hostPath.enabled to false Pod will no longer mount host filesystem - applications expecting host access will fail high
restrict-seccomp-strict Added seccompProfile with type RuntimeDefault at both pod and container levels Applies seccomp filtering - most applications should work but some syscalls may be blocked high
restrict-automount-sa-token Added automountServiceAccountToken: false to prevent automatic service account token mounting Pod cannot access Kubernetes API - applications requiring API access will fail high
disallow-host-path Disabled hostPath volumes by setting enabled to false Same as restrict-volume-types - no host filesystem access high
require-run-as-nonroot Added runAsNonRoot: true and runAsUser: 65534 at both pod and container levels Container runs as non-root user - applications expecting root access will fail high
disallow-capabilities Removed SYS_ADMIN capability which is not in the allowed baseline capabilities list Container loses admin capabilities - system-level operations will fail high

Nirmatabot commands and options

You can trigger nirmatabot actions by commenting on this PR:

  • @nirmatabot splitpr <policy-name1> <policy-name2> ... – Split a multi-policy remediation PR into separate, independent PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants

Comments