Skip to content

feat(misconf): add ephemeral container support to KSV014#538

Open
adityaupasani2 wants to merge 6 commits intoaquasecurity:mainfrom
adityaupasani2:fix/ksv014-ephemeral-containers
Open

feat(misconf): add ephemeral container support to KSV014#538
adityaupasani2 wants to merge 6 commits intoaquasecurity:mainfrom
adityaupasani2:fix/ksv014-ephemeral-containers

Conversation

@adityaupasani2
Copy link

@adityaupasani2 adityaupasani2 commented Feb 27, 2026

Summary

KSV014 currently checks only containers for read-only root filesystem,
but Pod Security Standards also require initContainers and
ephemeralContainers to be checked.

A writable ephemeral container filesystem allows attackers to install
malware or tamper with files during a debug session.

Changes

  • Extended getReadOnlyRootFilesystemContainers and
    getNotReadOnlyRootFilesystemContainers in KSV014 to include
    initContainers and ephemeralContainers
  • Updated recommended_action metadata to reflect the change
  • Added test cases for initContainers and ephemeralContainers

Related Issue

Related to #9936

@adityaupasani2
fix(KSV104): add ephemeralContainers support to seccomp check and lib
acdda07 
- Add ephemeralContainers to pod_containers in lib/kubernetes/kubernetes.rego
- Update recommended_action metadata for KSV104
- Add 4 test cases for initContainers and ephemeralContainers

Fixes #9936
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

@nikpivkin nikpivkin Awaiting requested review from nikpivkin nikpivkin is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adityaupasani2