SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Viewing project details and test results

All workloads that you and your team have imported for monitoring appear on your Projects page marked with a unique Kubernetes icon:

Kubernetes icon

To view and work with the workload test results:

  • Go to the Projects page and filter for Kubernetes projects only:

Expand any item to view:

  • a list of the individual images used in the workload

  • a summary of the number of vulnerabilities in each image

To view vulnerabilities in detail for any image, including its history, click the image name. The Project details page loads for the selected image:

  • To view an aggregate list of the vulnerabilities in all of the images in the workload, along with details about the security posture of the workload configuration, click the workload link. The Project details page loads for the selected image similar to the following example:

Currently, we test the workload configuration for the following properties:

Snyk parameter

Associated Kubernetes parameters

Description

CPU and Memory limits

Resources.limits.memory resources.limits.cpu

Limiting the expected CPU and Memory available to the container has operational as well as security benefits. In the context of security, this is about limiting the impact of potential denial of service attacks to affecting the app rather than the node and potentially the whole cluster.

runAsNonRoot

securityContext.runAsNonRoot

By default, containers can run as the root user. This property prevents that at the container runtime, meaning an attacker would only have limited permissions if they were to be able to execute a command in the context of the container.

readOnlyRootFilesystem

securityContext. readOnlyFilesystem

By default the file system mounted for the container is writable. That means an attacker who compromises the container can also write to the disk, which makes certain kinds of attacks easier. If your containers are stateless then you don’t need a writable filesystem.

Capabilities

securityContext.capabilities

At a low-level, Linux capabilities control what different processes in the container are allowed to do: from being able to write to the disk, to being able to communicate over the network. Dropping all capabilities and adding in those that are required is possible but requires understanding the list of capabilities first.

PreviousKubernetes integration UI explainedNextSnyk Priority Score and Kubernetes

Last updated

Was this helpful?

#4580: CLI: help, Ignore - support ticket 49463-add Iac examples

Change request updated