SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Getting started
Snyk Web UI
Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Getting started with Snyk Container
Snyk Container security basics
Snyk CLI for container security
Getting around the Snyk Container UI
Scan your Dockerfile
Snyk Container for self-hosted container registries (with broker)
Kubernetes integration
Kubernetes integration overview
Installation page
Kubernetes integration features
Kubernetes integration UI explained
Viewing project details and test results
Snyk Priority Score and Kubernetes
Kubernetes integration FAQ
Image scanning information library
Snyk Infrastructure as Code
Snyk Cloud
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Snyk reports
Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
Snyk Partner workshops
Powered By GitBook
Viewing project details and test results
All workloads that you and your team have imported for monitoring appear on your Projects page marked with a unique Kubernetes icon:
Kubernetes icon
To view and work with the workload test results:
  • Go to the Projects page and filter for Kubernetes projects only:
Expand any item to view:
  • a list of the individual images used in the workload
  • a summary of the number of vulnerabilities in each image
To view vulnerabilities in detail for any image, including its history, click the image name. The Project details page loads for the selected image:
  • To view an aggregate list of the vulnerabilities in all of the images in the workload, along with details about the security posture of the workload configuration, click the workload link. The Project details page loads for the selected image similar to the following example:
Currently, we test the workload configuration for the following properties:
Snyk parameter
Associated Kubernetes parameters
Description
CPU and Memory limits
Resources.limits.memory resources.limits.cpu
Limiting the expected CPU and Memory available to the container has operational as well as security benefits. In the context of security, this is about limiting the impact of potential denial of service attacks to affecting the app rather than the node and potentially the whole cluster.
runAsNonRoot
securityContext.runAsNonRoot
By default, containers can run as the root user. This property prevents that at the container runtime, meaning an attacker would only have limited permissions if they were to be able to execute a command in the context of the container.
readOnlyRootFilesystem
securityContext. readOnlyFilesystem
By default the file system mounted for the container is writable. That means an attacker who compromises the container can also write to the disk, which makes certain kinds of attacks easier. If your containers are stateless then you don’t need a writable filesystem.
Capabilities
securityContext.capabilities
At a low-level, Linux capabilities control what different processes in the container are allowed to do: from being able to write to the disk, to being able to communicate over the network. Dropping all capabilities and adding in those that are required is possible but requires understanding the list of capabilities first.
Previous
Kubernetes integration UI explained
Next
Snyk Priority Score and Kubernetes
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub