Skip to content

ConfigAuditReport

An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as Polaris and Conftest, against a Kubernetes object's configuration. For example, check that a given container image runs as non-root user or that a container has resource requests and limits set. Checks might relate to Kubernetes workloads and other namespaced Kubernetes objects such as Services, ConfigMaps, Roles, and RoleBindings.

Each report is owned by the underlying Kubernetes object and is stored in the same namespace, following the <workload-kind>-<workload-name> naming convention.

The following listing shows a sample ConfigAuditReport associated with the ReplicaSet named nginx-6d4cf56db6 in the default namespace.

apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  name: replicaset-nginx-6d4cf56db6
  namespace: default
  labels:
    starboard.resource.kind: ReplicaSet
    starboard.resource.name: nginx-6d4cf56db6
    starboard.resource.namespace: default
    plugin-config-hash: 7f65d98b75
    resource-spec-hash: 7cb64cb677
  uid: d5cf8847-c96d-4534-beb9-514a34230302
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: false
      controller: true
      kind: ReplicaSet
      name: nginx-6d4cf56db6
      uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
  updateTimestamp: '2021-05-20T12:38:10Z'
  scanner:
    name: Polaris
    vendor: Fairwinds Ops
    version: '3.2'
  summary:
    dangerCount: 0
    passCount: 3
    warningCount: 2
  checks:
    - category: Security
      checkID: hostNetworkSet
      message: Host network is not configured
      severity: warning
      success: true
    - category: Security
      checkID: dangerousCapabilities
      message: Container does not have any dangerous capabilities
      severity: danger
      success: true
      scope:
        type: Container
        value: nginx
    - category: Security
      checkID: hostPortSet
      message: Host port is not configured
      severity: warning
      success: true
      scope:
        type: Container
        value: nginx
    - category: Security
      checkID: insecureCapabilities
      message: Container should not have insecure capabilities
      severity: warning
      success: false
      scope:
        type: Container
        value: nginx
    - category: Security
      checkID: notReadOnlyRootFilesystem
      message: Filesystem should be read only
      severity: warning
      success: false
      scope:
        type: Container
        value: nginx

Third party Kubernetes configuration checkers, linters, and sanitizers that are compliant with the ConfigAuditReport schema can be integrated with Starboard.

Note

The challenge with onboarding third party configuration checkers is that they tend to have different interfaces to perform scans and vary in output formats for a relatively common goal, which is inspecting deployment descriptors for known configuration pitfalls.