Container Gateway Vulnerabilities
search cancel

Container Gateway Vulnerabilities


Article ID: 269116


Updated On:


CA API Gateway


While running the Layer7 Container Gateway in Azure Kubernetes Services (AKS) using the Gateway:10.1.00 image, Microsoft Defender and Azure Built-in Policies reported some vulnerabilities issues:

. Running containers as root user should be avoided
. Immutable (read-only) root filesystem should be enforced for containers


API Gateway 10.1, 11.0


Our container gateway runs as a non-root user called 'runner' unless you have specified the container to run as root via a Security Context. If you navigate inside the container, the directories are not read-only but they are owned by root. Since you cannot access the container as the root user, the filesystem will remain immutable. This is the default behavior of the container gateway. 

$ kubectl get pods -n <namespace>
NAME                                  READY   STATUS    RESTARTS      AGE
gateway11-pm-tagger-9f5575486-xxxxx   1/1     Running   1 (81d ago)   81d
gateway11-mysql-0                     1/1     Running   1 (81d ago)   81d
gateway11-6f745dbc86-xxxxx            1/1     Running   1 (81d ago)   81d
$ kubectl exec --stdin --tty -n <namespace> gateway11-6f745dbc86-xxxxx -- /bin/sh
sh-4.2$ whoami

NOTE: This example is from an 11.0 GW container but the same steps work for 10.1.