remediator: Fix policy violations in apps/nginx/deployment.yaml

[nirmata]

Policy Violation Remediation

Cluster: remediator-host

Namespace: nginx

File: apps/nginx/deployment.yaml

Remediation Results

Policy Name	Explanation	Runtime Impact	Confidence
disallow-host-path	Replaced hostPath volume with emptyDir volume to prevent host filesystem access	Application will lose access to host /etc directory; if the app depends on host configuration files, certificates, or system files, it will fail to start or function properly	low
restrict-automount-sa-token	Added automountServiceAccountToken: false to prevent automatic service account token mounting	Application cannot access Kubernetes API using mounted service account; if the app needs to interact with K8s API, it will lose authentication capability	high
restrict-volume-types	Replaced prohibited hostPath volume with allowed emptyDir volume type	Application will use ephemeral storage instead of host directory; data will not persist across pod restarts and host files are inaccessible	low
disallow-host-ports	Removed hostPort: 80 from container port configuration to prevent host port binding	Application will no longer bind to host port 80; external traffic cannot reach the service directly via host IP, requiring Service/Ingress configuration for access	low
disallow-privilege-escalation	Set allowPrivilegeEscalation to false to prevent privilege escalation	Application cannot escalate privileges during runtime; most standard applications are unaffected, but apps requiring privilege escalation will fail	high
require-run-as-nonroot	Added runAsNonRoot: true and runAsUser: 1001 to both pod and container securityContext	Application will run as non-root user 1001; if the app requires root privileges, writes to root-owned files, or binds to privileged ports, it will fail to function	low
disallow-privileged-containers	Changed privileged from true to false to disable privileged mode	Container loses access to host devices and kernel features; if the app requires hardware access, kernel modules, or system-level operations, it will fail	low
disallow-capabilities	Removed SYS_ADMIN capability as it's not in the allowed capabilities list	Application loses system administration capabilities; if the app requires mounting filesystems, managing devices, or other admin functions, it will fail	low
restrict-seccomp-strict	Added seccompProfile with type RuntimeDefault to pod and container securityContext	Application will be restricted by default seccomp profile limiting system calls; most applications are unaffected, but those using restricted syscalls may fail	high
disallow-capabilities-strict	Replaced SYS_ADMIN capability with drop ALL capabilities requirement and removed prohibited capabilities	Application will lose all Linux capabilities and SYS_ADMIN privileges; if the app requires system administration functions or special permissions, it will fail to operate correctly	low

---

Nirmatabot commands and options

You can trigger nirmatabot actions by commenting on this PR:

• @nirmatabot split-pr <policy-name1> <policy-name2> ... – Split a multi-policy remediation PR into separate, independent PRs.