Skip to content

False-positive security findings#


This page lists security findings that the IT Security team have received in past penetration tests and vulnerability assessments against the platform, which we consider to be false-positives.

Findings / Recommendations#

Finding / Recommendation False-positive justification References
No egress restrictions to the internet from Lagoon environment namespaces. Lagoon environments are used to run arbitrary code from Lagoon users, who expect to be able to access the internet to e.g. download software packages. cannot restrict this access as it is an integral part of the Lagoon platform offering.
baas-* S3 buckets have the following features disabled:
  • Encryption at rest
  • MFA Delete
  • Versioning
  • Public Access
These buckets are used by the platform backup service, k8up.
  • k8up encrypts the backup data client-side before uploading it to S3, as described in the S3 security best practices. Since January 2023 server-side encryption is also enabled by default on new objects.
  • k8up automatically prunes the backup repository on a configurable schedule. It needs to be able to delete encrypted blobs from the bucket during this pruning process, so MFA Delete cannot be enabled.
  • k8up automatically prunes the backup repository to reduce usage of the S3 storage. Versioning would mean that the pruned data would still be counted towards the S3 storage use. Therefore Versioning cannot be enabled.
  • k8up has no ability to automatically configure the Block Public Access configuration of the buckets, instead relying on the default bucket settings from AWS. Since April 2023 Block Public Access is the default for new buckets, which fixes this issue.

Security best practices for Amazon S3

Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023

Amazon S3 Encrypts New Objects By Default