BATIAI-976 - Add standard files

[j-mowery]

Fixes Issue: BATIAI-976

Description:

Add standard process files

Security Impact Analysis Questionnaire

Submitter Checklist

• Is there an impact on Auditing and Logging procedures or capabilities?
• Is there an impact on Authentication procedures or capabilities?
• Is there an impact on Authorization procedures or capabilities?
• Is there an impact on Communication Security procedures or capabilities?
• Is there an impact on Cryptography procedures or capabilities?
• Is there an impact on Sensitive Data procedures or capabilities?
• Is there an impact on any other security-related procedures or capabilities?
• No security impacts identified.

Security Risks Identified - For any applicable items on the "Submitter Checklist," describe the impact of the change and any implemented mitigations.

[robo-gotham]

Snyk Scanning for Commit: 4ad72aa

Snyk Infrastructure as Code

• Snyk testing Infrastructure as Code configuration issues.
  ✔ Test completed.

Issues

Low Severity Issues: 6

[Low] Container's or Pod's UID could clash with host's UID
Info: runAsUser value is set to low UID. UID of the container processes
could clash with host's UIDs and lead to unintentional authorization
bypass
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-11
Path: [DocId: 0] > input > spec > template > spec > containers[inflate] >
securityContext > runAsUser
File: test/test.yaml
Resolve: Set securityContext.runAsUser value to greater or equal than
10'000. SecurityContext can be set on both pod and container
level. If both are set, then the container level takes precedence

[Low] Container is running without memory limit
Info: Memory limit is not defined. Containers without memory limits are
more likely to be terminated when the node runs out of memory
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-4
Path: [DocId: 0] > input > spec > template > spec > containers[inflate] >
resources > limits > memory
File: test/test.yaml
Resolve: Set resources.limits.memory value

[Low] Container is running without liveness probe
Info: Liveness probe is not defined. Kubernetes will not be able to detect
if application is able to service requests, and will not restart
unhealthy pods
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-41
Path: [DocId: 0] > spec > template > spec > containers[inflate] >
livenessProbe
File: test/test.yaml
Resolve: Add livenessProbe attribute

[Low] Container could be running with outdated image
Info: The image policy does not prevent image reuse. The container may run
with outdated or unauthorized image
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-42
Path: [DocId: 0] > spec > template > spec > containers[inflate] >
imagePullPolicy
File: test/test.yaml
Resolve: Set imagePullPolicy attribute to Always

[Low] Container has no CPU limit
Info: Container has no CPU limit. CPU limits can prevent containers from
consuming valuable compute time for no benefit (e.g. inefficient
code) that might lead to unnecessary costs. It is advisable to also
configure CPU requests to ensure application stability.
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-5
Path: [DocId: 0] > input > spec > template > spec > containers[inflate] >
resources > limits > cpu
File: test/test.yaml
Resolve: Add resources.limits.cpu field with required CPU limit value

[Low] Container is running with writable root filesystem
Info: readOnlyRootFilesystem attribute is not set to true. Compromised
process could abuse writable root filesystem to elevate privileges
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-8
Path: [DocId: 0] > spec > template > spec > containers[inflate] >
securityContext > readOnlyRootFilesystem
File: test/test.yaml
Resolve: Set spec.{containers, initContainers}.securityContext.readOnlyRootFilesystem to true

Medium Severity Issues: 3

[Medium] Container or Pod is running without root user control
Info: Container or Pod is running without root user control. Container or
Pod could be running with full administrative privileges
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-10
Path: [DocId: 0] > input > spec > template > spec > containers[inflate] >
securityContext > runAsNonRoot
File: test/test.yaml
Resolve: Set securityContext.runAsNonRoot to true

[Medium] Container does not drop all default capabilities
Info: All default capabilities are not explicitly dropped. Containers are
running with potentially unnecessary privileges
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-6
Path: [DocId: 0] > input > spec > template > spec > containers[inflate] >
securityContext > capabilities > drop
File: test/test.yaml
Resolve: Add ALL to securityContext.capabilities.drop list, and add only
required capabilities in securityContext.capabilities.add

[Medium] Container is running without privilege escalation control
Info: allowPrivilegeEscalation attribute is not set to false. Processes
could elevate current privileges via known vectors, for example SUID
binaries
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-K8S-9
Path: [DocId: 0] > spec > template > spec > containers[inflate] >
securityContext > allowPrivilegeEscalation
File: test/test.yaml
Resolve: Set spec.{containers, initContainers}.securityContext.allowPrivilegeEscalation to false

---

Test Summary

Organization: batcave-ispg
Project name: CMS-Enterprise/batcave-tf-karpenter

✔ Files without issues: 7
✗ Files with issues: 1
Ignored issues: 0
Total issues: 9 [ 0 critical, 0 high, 3 medium, 6 low ]

---

Report Complete

Your test results are available at: https://snyk.io/org/batcave-ispg/projects
under the name: CMS-Enterprise/batcave-tf-karpenter