remediator: Fix policy violations in apps/nginx/deployment.yaml

[nirmata]

Policy Violation Remediation

Cluster: remediator-host

Namespace: nginx

File: apps/nginx/deployment.yaml

Remediation Results

Policy Name	Explanation	Runtime Impact	Confidence
restrict-seccomp-strict	Added seccompProfile with type RuntimeDefault to both pod and container security contexts for syscall filtering.	Application syscalls will be filtered by default seccomp profile; some system calls may be blocked. Monitor for seccomp violations.	high
restrict-automount-sa-token	Added automountServiceAccountToken: false to prevent automatic mounting of service account tokens for least privilege.	Application loses ability to authenticate with Kubernetes API; API calls will fail. Verify nginx doesn't need K8s API access.	high
disallow-capabilities	Removed SYS_ADMIN capability as it's not in the allowed list of capabilities for baseline security.	Application will lose administrative capabilities; functionality requiring system administration will fail. Verify nginx doesn't need SYS_ADMIN.	low
restrict-volume-types	Changed hostPath volume to emptyDir as hostPath is not in the allowed volume types for restricted security.	Application loses access to host /etc directory; will fail if it needs host configuration files. Verify nginx doesn't need host filesystem access.	low
disallow-host-path	Replaced hostPath volume with emptyDir as hostPath volumes are forbidden for security reasons.	Application loses access to host /etc directory; will fail if it depends on host configuration files. Verify nginx doesn't need host filesystem access.	low
disallow-privilege-escalation	Added allowPrivilegeEscalation: false to container security context to prevent privilege escalation via setuid/setgid.	Application cannot escalate privileges during runtime; setuid/setgid operations will fail. Verify nginx doesn't need privilege escalation.	high
require-run-as-nonroot	Added runAsNonRoot: true and runAsUser: 1000 to both pod and container security contexts to enforce non-root execution.	Application may fail to start if it requires root privileges or writes to root-owned directories. Verify nginx can run as non-root user.	low
disallow-capabilities-strict	Removed SYS_ADMIN capability and added drop: [ALL] to meet strict capability requirements allowing only NET_BIND_SERVICE.	Application loses all Linux capabilities except NET_BIND_SERVICE; privileged operations will fail. Verify nginx only needs basic networking.	low
disallow-host-ports	Changed hostPort from 80 to 0 to prevent direct host port binding which could enable network snooping.	Application will no longer be directly accessible on host port 80; requires LoadBalancer/NodePort service for external access.	high
disallow-privileged-containers	Changed privileged from true to false to disable privileged mode which bypasses most security mechanisms.	Application loses elevated system access; operations requiring privileged mode will fail. Verify nginx doesn't need privileged access.	low

---

Nirmatabot commands and options

You can trigger nirmatabot actions by commenting on this PR:

• @nirmatabot splitpr <policy-name1> <policy-name2> ... – Split a multi-policy remediation PR into separate, independent PRs.