Kubescan show wrong risks in mulit-container Pods

[ayoubeddafali]

Hi,
We have a set of microservices deployed, and in each microservice pod we inject a linkerd proxy container alongside the application container for service mesh reasons.

Somehow, for all pods that has the injected linkerd container, kubescan shows wrong risks results.
When uninjecting manually the linkerd container from the pod, kubescan then show the correct risks.

[thehh1974]

@ayoubeddafali - can you expand on what you mean by "wrong risk results"? The risk score should include any risk introduced by the sidecar.

[snahelou]

Hello

kubescan report also initContainers... It should not imho.

Because my deployment has :

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          runAsNonRoot: true
          runAsUser: 2020

And kube-scan report me

• Workload allows privilege escalation
• Workload has a container(s) with NET_RAW capability

[ayoubeddafali]

@thehh1974 Thanks for responding.
It is totally the inverse, with the sidecar container present, the total risks are less than when it is not.