Skip to content

remediator: Fix policy violations in apps/test/nginx-chart/templates/deployment.yaml#447

Open
nirmata[bot] wants to merge 2 commits intohelm_chartfrom
remediation-apps-test-nginx-chart-templates-deployment-yaml-helm_chart-udm7hicrf6
Open

remediator: Fix policy violations in apps/test/nginx-chart/templates/deployment.yaml#447
nirmata[bot] wants to merge 2 commits intohelm_chartfrom
remediation-apps-test-nginx-chart-templates-deployment-yaml-helm_chart-udm7hicrf6

Conversation

@nirmata
Copy link
Contributor

@nirmata nirmata bot commented Feb 10, 2026

Policy Violation Remediation

Cluster: remediator-host

Namespace: nginx-helm

File: apps/test/nginx-chart/templates/deployment.yaml

Remediation Results

Policy Name Explanation Runtime Impact Confidence
disallow-capabilities-strict Changed capabilities to drop ALL instead of adding SYS_ADMIN Removes all Linux capabilities - application must not require privileged operations low
disallow-host-path Replaced hostPath volume with emptyDir volume No longer mounts host filesystem - data is ephemeral and container-local low
disallow-host-ports Changed hostPort from 81 to 0 (disabled) Container port no longer exposed on host - external access requires Service high
restrict-apparmor-profiles Removed insecure AppArmor annotation that was set to unconfined Default AppArmor profile will be applied instead of unconfined high
disallow-capabilities Changed capabilities from adding SYS_ADMIN to dropping ALL capabilities Application must function without elevated capabilities - may break if it requires specific system access low
require-run-as-nonroot Added runAsNonRoot: true and runAsUser: 1000 to both pod and container security contexts Forces container to run as non-root user - may break if application expects root access low
restrict-volume-types Replaced hostPath volume type with allowed emptyDir volume type Volume is now ephemeral instead of persistent host filesystem access low
restrict-automount-sa-token Added automountServiceAccountToken: false to pod spec Pod cannot access Kubernetes API - may break if application needs cluster access low
disallow-privilege-escalation Added allowPrivilegeEscalation: false to container security context Prevents container from gaining additional privileges during runtime high
restrict-seccomp-strict Added seccompProfile with RuntimeDefault type to pod and container security contexts Applies default seccomp filtering - may block certain system calls high
disallow-privileged-containers Changed privileged from true to false in security context Container runs without root privileges - may break if requires host-level access low
Nirmatabot commands and options

You can trigger nirmatabot actions by commenting on this PR:

  • @nirmatabot splitpr <policy-name1> <policy-name2> ... – Split a multi-policy remediation PR into separate, independent PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-remediation needs-review policy-violation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments