Skip to content

remediator: Fix policy violations in apps/test/nginx-chart/templates/deployment.yaml#455

Open
nirmata[bot] wants to merge 2 commits intohelm_chartfrom
remediation-apps-test-nginx-chart-templates-deployment-yaml-helm_chart-8mapivzuzq
Open

remediator: Fix policy violations in apps/test/nginx-chart/templates/deployment.yaml#455
nirmata[bot] wants to merge 2 commits intohelm_chartfrom
remediation-apps-test-nginx-chart-templates-deployment-yaml-helm_chart-8mapivzuzq

Conversation

@nirmata
Copy link
Contributor

@nirmata nirmata bot commented Feb 11, 2026

Policy Violation Remediation

Cluster: remediator-host

Namespace: nginx-helm

File: apps/test/nginx-chart/templates/deployment.yaml

Remediation Results

Policy Name Explanation Runtime Impact Confidence
restrict-volume-types Replaced hostPath volume with emptyDir volume type which is in the allowed list Volume mount will use empty directory instead of host filesystem - may break app if it needs host file access low
disallow-capabilities Removed SYS_ADMIN capability which is not in the allowed list Container will not have elevated system administration privileges high
disallow-privilege-escalation Added allowPrivilegeEscalation: false to container security context Container cannot escalate privileges during runtime high
restrict-seccomp-strict Added seccompProfile with RuntimeDefault type to both pod and container security contexts Enhanced security filtering of system calls high
restrict-apparmor-profiles Removed unconfined AppArmor annotation which is disallowed Default AppArmor profile will be used instead of unconfined mode high
disallow-host-ports Removed hostPort configuration from container ports Container port no longer exposed on host - external access requires Service or Ingress high
disallow-host-path Replaced hostPath volume with emptyDir volume No access to host filesystem - application cannot read/write host files low
restrict-automount-sa-token Added automountServiceAccountToken: false to pod spec Pod cannot access Kubernetes API via service account token high
disallow-capabilities-strict Changed capabilities to drop ALL and removed disallowed SYS_ADMIN capability Container will run with minimal capabilities, may break functionality requiring specific privileges low
disallow-privileged-containers Changed privileged from true to false in security context Container will not run in privileged mode, may break functionality requiring root access low
require-run-as-nonroot Added runAsNonRoot: true to both pod and container security contexts Container must run as non-root user - may break apps requiring root privileges low
Nirmatabot commands and options

You can trigger nirmatabot actions by commenting on this PR:

  • @nirmatabot splitpr <policy-name1> <policy-name2> ... – Split a multi-policy remediation PR into separate, independent PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-remediation needs-review policy-violation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments