5.9k
Quick Start
DatreeHelm Chart DB
Spire by Philips

Spire Helm Chart

Spire
Analyzed version: 0.4.0

By Philips

A Helm chart for deploying spire-server and spire-agent. > :warning: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. > :warning: Minimum Spire version is `v1.0.2`. To enable Projected Service Account Tokens on Docker for Mac/Windows run the following command to SSH into the Docker Desktop K8s VM. ```bash docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh ``` Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml` ```yaml spec: containers: - command: - kube-apiserver - --api-audiences=api,spire-server - --service-account-issuer=api,spire-agent - --service-account-key-file=/run/config/pki/sa.pub - --service-account-signing-key-file=/run/config/pki/sa.key ```

How to install the chart
Does the chart contain security gaps?
How to install the chart
Does the chart contain security gaps?

Prometheus, a CNCF project, is a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true.

This chart bootstraps a Prometheus deployment on a Kubernetes cluster using the Helm package manager.

How to install the chart
Does the chart follow industry best practices
Latest version: 15.5.3
View GitHub

How to Install the Spire Helm Chart

Add Chart Repository to Helm

helm repo add philips-labs https://philips-labs.github.io/helm-charts/

Install Chart

helm install my-spire philips-labs/spire --version 0.4.0

Does the Spire chart contain security gaps?

The chart meets the best practices recommended by the industry.

The chart contains 10 misconfigurations.

The chart meets the best practices recommended by the industry. Find the full list of best practices here.

❌ Ensure each container has a configured liveness probe

2 occurrences:

  • metadata.name: release-name-spire-server (kind: StatefulSet)
  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks

Learn how to fix the issue here

❌ Prevent workload from using the default namespace

1 occurrences:

  • metadata.name: release-name-spire-agent (kind: DaemonSet)

💡 Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)

Learn how to fix the issue here

❌ Prevent deploying naked pods

1 occurrences:

  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Incorrect value for key `kind` - raw pod won't be rescheduled in the event of a node failure

Learn how to fix the issue here

❌ Ensure each container has a configured memory request

4 occurrences:

  • metadata.name: release-name-spire-agent (kind: DaemonSet)
  • metadata.name: release-name-spire-server (kind: StatefulSet)
  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Missing property object `requests.memory` - value should be within the accepted boundaries recommended by the organization

Learn how to fix the issue here

❌ Ensure each container has a configured readiness probe

2 occurrences:

  • metadata.name: release-name-spire-server (kind: StatefulSet)
  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic

Learn how to fix the issue here

❌ Ensure each container has a configured memory limit

4 occurrences:

  • metadata.name: release-name-spire-agent (kind: DaemonSet)
  • metadata.name: release-name-spire-server (kind: StatefulSet)
  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization

Learn how to fix the issue here

❌ Ensure each container image has a pinned (tag) version

1 occurrences:

  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future

Learn how to fix the issue here

❌ Prevent ConfigMap security vulnerability (CVE-2021-25742)

3 occurrences:

  • metadata.name: release-name-spire-agent (kind: ConfigMap)
  • metadata.name: release-name-spire-server (kind: ConfigMap)
  • metadata.name: release-name-spire-workload-registrar (kind: ConfigMap)

💡 Missing property object `allow-snippet-annotations` - set it to "false" to override default behaviour

Learn how to fix the issue here

❌ Ensure each container has a configured CPU request

4 occurrences:

  • metadata.name: release-name-spire-agent (kind: DaemonSet)
  • metadata.name: release-name-spire-server (kind: StatefulSet)
  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization

Learn how to fix the issue here

❌ Ensure each container has a configured CPU limit

4 occurrences:

  • metadata.name: release-name-spire-agent (kind: DaemonSet)
  • metadata.name: release-name-spire-server (kind: StatefulSet)
  • metadata.name: release-name-spire-server-test-connection (kind: Pod)

💡 Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization

Learn how to fix the issue here

This is some text inside of a div block.
This is some text inside of a div block.

Related Charts

Bitnami

Kiam

Bitnami
TrueCharts

Grocy

TrueCharts
Bitnami

Postgresql

Bitnami
AppsCode Inc.

Kubeform-provider-datadog-service-crds

AppsCode Inc.
AppsCode Inc.

Kubeform-provider-aws-iam-crds

AppsCode Inc.
Buttahtoast

Csgo

Buttahtoast

Reveal misconfigurations within minutes

3 Quick Steps to Get Started

See GitHub Project
See Docs