{ "version": 1, "generated_from": "Jenkins titan-iac build 225 Trivy filesystem scan", "default_expires_at": "2026-05-22", "ticket": "atlas-quality-wave-k8s-hardening", "default_reason": "Existing Kubernetes manifest hardening baseline accepted only for the first quality-gate rollout; fix or renew explicitly before expiry.", "misconfigurations": [ { "id": "DS-0002", "targets": [ "dockerfiles/Dockerfile.ananke-node-helper" ] }, { "id": "KSV-0009", "targets": [ "services/mailu/vip-controller.yaml", "services/maintenance/k3s-agent-restart-daemonset.yaml" ] }, { "id": "KSV-0010", "targets": [ "services/maintenance/k3s-agent-restart-daemonset.yaml", "services/maintenance/metis-sentinel-amd64-daemonset.yaml", "services/maintenance/metis-sentinel-arm64-daemonset.yaml", "services/monitoring/jetson-tegrastats-exporter.yaml" ] }, { "id": "KSV-0014", "targets": [ "infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml", "infrastructure/core/ntp-sync-daemonset.yaml", "infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml", "infrastructure/longhorn/core/longhorn-disk-tags-ensure-job.yaml", "infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml", "infrastructure/longhorn/core/vault-sync-deployment.yaml", "infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml", "infrastructure/modules/profiles/components/device-plugin-jetson/daemonset.yaml", "infrastructure/modules/profiles/components/device-plugin-minipc/daemonset.yaml", "infrastructure/modules/profiles/components/device-plugin-tethys/daemonset.yaml", "infrastructure/postgres/statefulset.yaml", "infrastructure/vault-csi/vault-csi-provider.yaml", "services/ai-llm/deployment.yaml", "services/bstein-dev-home/backend-deployment.yaml", "services/bstein-dev-home/chat-ai-gateway-deployment.yaml", "services/bstein-dev-home/frontend-deployment.yaml", "services/bstein-dev-home/oneoffs/migrations/portal-migrate-job.yaml", "services/bstein-dev-home/oneoffs/portal-onboarding-e2e-test-job.yaml", "services/bstein-dev-home/vault-sync-deployment.yaml", "services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml", "services/comms/atlasbot-deployment.yaml", "services/comms/coturn.yaml", "services/comms/element-call-deployment.yaml", "services/comms/guest-name-job.yaml", "services/comms/guest-register-deployment.yaml", "services/comms/livekit-token-deployment.yaml", "services/comms/livekit.yaml", "services/comms/mas-deployment.yaml", "services/comms/oneoffs/bstein-force-leave-job.yaml", "services/comms/oneoffs/comms-secrets-ensure-job.yaml", "services/comms/oneoffs/mas-admin-client-secret-ensure-job.yaml", "services/comms/oneoffs/mas-db-ensure-job.yaml", "services/comms/oneoffs/mas-local-users-ensure-job.yaml", "services/comms/oneoffs/othrys-kick-numeric-job.yaml", "services/comms/oneoffs/synapse-admin-ensure-job.yaml", "services/comms/oneoffs/synapse-seeder-admin-ensure-job.yaml", "services/comms/oneoffs/synapse-signingkey-ensure-job.yaml", "services/comms/oneoffs/synapse-user-seed-job.yaml", "services/comms/pin-othrys-job.yaml", "services/comms/reset-othrys-room-job.yaml", "services/comms/seed-othrys-room.yaml", "services/comms/vault-sync-deployment.yaml", "services/comms/wellknown.yaml", "services/crypto/monerod/deployment.yaml", "services/crypto/wallet-monero-temp/deployment.yaml", "services/crypto/xmr-miner/deployment.yaml", "services/crypto/xmr-miner/vault-sync-deployment.yaml", "services/crypto/xmr-miner/xmrig-daemonset.yaml", "services/finance/actual-budget-deployment.yaml", "services/finance/firefly-cronjob.yaml", "services/finance/firefly-deployment.yaml", "services/finance/firefly-user-sync-cronjob.yaml", "services/finance/oneoffs/finance-secrets-ensure-job.yaml", "services/gitea/deployment.yaml", "services/harbor/vault-sync-deployment.yaml", "services/health/wger-admin-ensure-cronjob.yaml", "services/health/wger-deployment.yaml", "services/health/wger-user-sync-cronjob.yaml", "services/jellyfin/deployment.yaml", "services/jellyfin/loader.yaml", "services/jenkins/deployment.yaml", "services/jenkins/vault-sync-deployment.yaml", "services/keycloak/deployment.yaml", "services/keycloak/oneoffs/actual-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/harbor-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/ldap-federation-job.yaml", "services/keycloak/oneoffs/logs-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/mas-secrets-ensure-job.yaml", "services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml", "services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml", "services/keycloak/oneoffs/portal-e2e-client-job.yaml", "services/keycloak/oneoffs/portal-e2e-execute-actions-email-test-job.yaml", "services/keycloak/oneoffs/portal-e2e-target-client-job.yaml", "services/keycloak/oneoffs/portal-e2e-token-exchange-permissions-job.yaml", "services/keycloak/oneoffs/portal-e2e-token-exchange-test-job.yaml", "services/keycloak/oneoffs/quality-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/realm-settings-job.yaml", "services/keycloak/oneoffs/soteria-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/synapse-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/user-overrides-job.yaml", "services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml", "services/keycloak/vault-sync-deployment.yaml", "services/logging/node-image-gc-rpi4-daemonset.yaml", "services/logging/node-image-prune-rpi5-daemonset.yaml", "services/logging/node-log-rotation-daemonset.yaml", "services/logging/oauth2-proxy.yaml", "services/logging/oneoffs/opensearch-dashboards-setup-job.yaml", "services/logging/oneoffs/opensearch-ism-job.yaml", "services/logging/oneoffs/opensearch-observability-setup-job.yaml", "services/logging/opensearch-prune-cronjob.yaml", "services/logging/vault-sync-deployment.yaml", "services/mailu/mailu-sync-cronjob.yaml", "services/mailu/mailu-sync-listener.yaml", "services/mailu/oneoffs/mailu-sync-job.yaml", "services/mailu/vault-sync-deployment.yaml", "services/mailu/vip-controller.yaml", "services/maintenance/ariadne-deployment.yaml", "services/maintenance/disable-k3s-traefik-daemonset.yaml", "services/maintenance/image-sweeper-cronjob.yaml", "services/maintenance/k3s-agent-restart-daemonset.yaml", "services/maintenance/metis-deployment.yaml", "services/maintenance/metis-k3s-token-sync-cronjob.yaml", "services/maintenance/metis-sentinel-amd64-daemonset.yaml", "services/maintenance/metis-sentinel-arm64-daemonset.yaml", "services/maintenance/node-image-sweeper-daemonset.yaml", "services/maintenance/node-nofile-daemonset.yaml", "services/maintenance/oauth2-proxy-metis.yaml", "services/maintenance/oauth2-proxy-soteria.yaml", "services/maintenance/oneoffs/ariadne-migrate-job.yaml", "services/maintenance/oneoffs/k3s-traefik-cleanup-job.yaml", "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml", "services/maintenance/pod-cleaner-cronjob.yaml", "services/maintenance/soteria-deployment.yaml", "services/maintenance/vault-sync-deployment.yaml", "services/monitoring/dcgm-exporter.yaml", "services/monitoring/jetson-tegrastats-exporter.yaml", "services/monitoring/oneoffs/grafana-org-bootstrap.yaml", "services/monitoring/oneoffs/grafana-user-dedupe-job.yaml", "services/monitoring/platform-quality-gateway-deployment.yaml", "services/monitoring/platform-quality-suite-probe-cronjob.yaml", "services/monitoring/postmark-exporter-deployment.yaml", "services/monitoring/vault-sync-deployment.yaml", "services/nextcloud-mail-sync/cronjob.yaml", "services/nextcloud/collabora.yaml", "services/nextcloud/cronjob.yaml", "services/nextcloud/deployment.yaml", "services/nextcloud/maintenance-cronjob.yaml", "services/oauth2-proxy/deployment.yaml", "services/openldap/statefulset.yaml", "services/outline/deployment.yaml", "services/outline/redis-deployment.yaml", "services/pegasus/deployment.yaml", "services/pegasus/vault-sync-deployment.yaml", "services/planka/deployment.yaml", "services/quality/oauth2-proxy-sonarqube.yaml", "services/quality/sonarqube-deployment.yaml", "services/quality/sonarqube-exporter-deployment.yaml", "services/sui-metrics/base/deployment.yaml", "services/typhon/vault-sync-deployment.yaml", "services/vault/k8s-auth-config-cronjob.yaml", "services/vault/oidc-config-cronjob.yaml", "services/vault/statefulset.yaml", "services/vaultwarden/deployment.yaml" ] }, { "id": "KSV-0017", "targets": [ "infrastructure/modules/profiles/components/device-plugin-jetson/daemonset.yaml", "infrastructure/modules/profiles/components/device-plugin-minipc/daemonset.yaml", "infrastructure/modules/profiles/components/device-plugin-tethys/daemonset.yaml", "services/logging/node-image-gc-rpi4-daemonset.yaml", "services/logging/node-image-prune-rpi5-daemonset.yaml", "services/logging/node-log-rotation-daemonset.yaml", "services/maintenance/disable-k3s-traefik-daemonset.yaml", "services/maintenance/image-sweeper-cronjob.yaml", "services/maintenance/k3s-agent-restart-daemonset.yaml", "services/maintenance/metis-deployment.yaml", "services/maintenance/metis-sentinel-amd64-daemonset.yaml", "services/maintenance/metis-sentinel-arm64-daemonset.yaml", "services/maintenance/node-image-sweeper-daemonset.yaml", "services/maintenance/node-nofile-daemonset.yaml", "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml", "services/monitoring/dcgm-exporter.yaml", "services/monitoring/jetson-tegrastats-exporter.yaml" ] }, { "id": "KSV-0041", "targets": [ "infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml", "infrastructure/longhorn/adopt/longhorn-adopt-rbac.yaml", "infrastructure/traefik/clusterrole.yaml", "services/bstein-dev-home/rbac.yaml", "services/comms/comms-secrets-ensure-rbac.yaml", "services/comms/mas-db-ensure-rbac.yaml", "services/comms/mas-secrets-ensure-rbac.yaml", "services/maintenance/soteria-rbac.yaml" ] }, { "id": "KSV-0047", "targets": [ "services/monitoring/rbac.yaml" ] }, { "id": "KSV-0053", "targets": [ "services/comms/comms-secrets-ensure-rbac.yaml", "services/comms/mas-db-ensure-rbac.yaml", "services/jenkins/serviceaccount.yaml", "services/maintenance/ariadne-rbac.yaml" ] }, { "id": "KSV-0056", "targets": [ "infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml", "infrastructure/longhorn/adopt/longhorn-adopt-rbac.yaml", "services/jenkins/serviceaccount.yaml", "services/maintenance/disable-k3s-traefik-rbac.yaml", "services/maintenance/k3s-traefik-cleanup-rbac.yaml" ] }, { "id": "KSV-0114", "targets": [ "infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml" ] }, { "id": "KSV-0118", "targets": [ "infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml", "infrastructure/core/coredns-deployment.yaml", "infrastructure/core/ntp-sync-daemonset.yaml", "infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml", "infrastructure/longhorn/core/longhorn-disk-tags-ensure-job.yaml", "infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml", "infrastructure/longhorn/core/vault-sync-deployment.yaml", "infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml", "infrastructure/modules/profiles/components/device-plugin-jetson/daemonset.yaml", "infrastructure/modules/profiles/components/device-plugin-minipc/daemonset.yaml", "infrastructure/modules/profiles/components/device-plugin-tethys/daemonset.yaml", "infrastructure/postgres/statefulset.yaml", "infrastructure/vault-csi/vault-csi-provider.yaml", "services/ai-llm/deployment.yaml", "services/bstein-dev-home/backend-deployment.yaml", "services/bstein-dev-home/chat-ai-gateway-deployment.yaml", "services/bstein-dev-home/frontend-deployment.yaml", "services/bstein-dev-home/oneoffs/migrations/portal-migrate-job.yaml", "services/bstein-dev-home/oneoffs/portal-onboarding-e2e-test-job.yaml", "services/bstein-dev-home/vault-sync-deployment.yaml", "services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml", "services/comms/atlasbot-deployment.yaml", "services/comms/coturn.yaml", "services/comms/element-call-deployment.yaml", "services/comms/guest-name-job.yaml", "services/comms/livekit-token-deployment.yaml", "services/comms/livekit.yaml", "services/comms/mas-deployment.yaml", "services/comms/oneoffs/bstein-force-leave-job.yaml", "services/comms/oneoffs/comms-secrets-ensure-job.yaml", "services/comms/oneoffs/mas-admin-client-secret-ensure-job.yaml", "services/comms/oneoffs/mas-db-ensure-job.yaml", "services/comms/oneoffs/mas-local-users-ensure-job.yaml", "services/comms/oneoffs/othrys-kick-numeric-job.yaml", "services/comms/oneoffs/synapse-admin-ensure-job.yaml", "services/comms/oneoffs/synapse-seeder-admin-ensure-job.yaml", "services/comms/oneoffs/synapse-signingkey-ensure-job.yaml", "services/comms/oneoffs/synapse-user-seed-job.yaml", "services/comms/pin-othrys-job.yaml", "services/comms/reset-othrys-room-job.yaml", "services/comms/seed-othrys-room.yaml", "services/comms/vault-sync-deployment.yaml", "services/comms/wellknown.yaml", "services/crypto/monerod/deployment.yaml", "services/crypto/wallet-monero-temp/deployment.yaml", "services/crypto/xmr-miner/deployment.yaml", "services/crypto/xmr-miner/vault-sync-deployment.yaml", "services/crypto/xmr-miner/xmrig-daemonset.yaml", "services/finance/firefly-cronjob.yaml", "services/finance/firefly-deployment.yaml", "services/finance/firefly-user-sync-cronjob.yaml", "services/finance/oneoffs/finance-secrets-ensure-job.yaml", "services/gitea/deployment.yaml", "services/harbor/vault-sync-deployment.yaml", "services/health/wger-admin-ensure-cronjob.yaml", "services/health/wger-deployment.yaml", "services/health/wger-user-sync-cronjob.yaml", "services/jellyfin/loader.yaml", "services/jenkins/deployment.yaml", "services/jenkins/vault-sync-deployment.yaml", "services/keycloak/oneoffs/actual-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/harbor-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/ldap-federation-job.yaml", "services/keycloak/oneoffs/logs-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/mas-secrets-ensure-job.yaml", "services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml", "services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml", "services/keycloak/oneoffs/portal-e2e-client-job.yaml", "services/keycloak/oneoffs/portal-e2e-execute-actions-email-test-job.yaml", "services/keycloak/oneoffs/portal-e2e-target-client-job.yaml", "services/keycloak/oneoffs/portal-e2e-token-exchange-permissions-job.yaml", "services/keycloak/oneoffs/portal-e2e-token-exchange-test-job.yaml", "services/keycloak/oneoffs/quality-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/realm-settings-job.yaml", "services/keycloak/oneoffs/soteria-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/synapse-oidc-secret-ensure-job.yaml", "services/keycloak/oneoffs/user-overrides-job.yaml", "services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml", "services/keycloak/vault-sync-deployment.yaml", "services/logging/node-image-gc-rpi4-daemonset.yaml", "services/logging/node-image-prune-rpi5-daemonset.yaml", "services/logging/node-log-rotation-daemonset.yaml", "services/logging/oauth2-proxy.yaml", "services/logging/oneoffs/opensearch-dashboards-setup-job.yaml", "services/logging/oneoffs/opensearch-ism-job.yaml", "services/logging/oneoffs/opensearch-observability-setup-job.yaml", "services/logging/opensearch-prune-cronjob.yaml", "services/logging/vault-sync-deployment.yaml", "services/mailu/mailu-sync-cronjob.yaml", "services/mailu/mailu-sync-listener.yaml", "services/mailu/oneoffs/mailu-sync-job.yaml", "services/mailu/vault-sync-deployment.yaml", "services/mailu/vip-controller.yaml", "services/maintenance/ariadne-deployment.yaml", "services/maintenance/disable-k3s-traefik-daemonset.yaml", "services/maintenance/image-sweeper-cronjob.yaml", "services/maintenance/k3s-agent-restart-daemonset.yaml", "services/maintenance/metis-deployment.yaml", "services/maintenance/metis-k3s-token-sync-cronjob.yaml", "services/maintenance/metis-sentinel-amd64-daemonset.yaml", "services/maintenance/metis-sentinel-arm64-daemonset.yaml", "services/maintenance/node-image-sweeper-daemonset.yaml", "services/maintenance/node-nofile-daemonset.yaml", "services/maintenance/oauth2-proxy-metis.yaml", "services/maintenance/oauth2-proxy-soteria.yaml", "services/maintenance/oneoffs/ariadne-migrate-job.yaml", "services/maintenance/oneoffs/k3s-traefik-cleanup-job.yaml", "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml", "services/maintenance/pod-cleaner-cronjob.yaml", "services/maintenance/soteria-deployment.yaml", "services/maintenance/vault-sync-deployment.yaml", "services/monitoring/dcgm-exporter.yaml", "services/monitoring/jetson-tegrastats-exporter.yaml", "services/monitoring/oneoffs/grafana-org-bootstrap.yaml", "services/monitoring/oneoffs/grafana-user-dedupe-job.yaml", "services/monitoring/platform-quality-gateway-deployment.yaml", "services/monitoring/platform-quality-suite-probe-cronjob.yaml", "services/monitoring/postmark-exporter-deployment.yaml", "services/monitoring/vault-sync-deployment.yaml", "services/nextcloud/collabora.yaml", "services/oauth2-proxy/deployment.yaml", "services/openldap/statefulset.yaml", "services/outline/deployment.yaml", "services/outline/redis-deployment.yaml", "services/pegasus/vault-sync-deployment.yaml", "services/quality/oauth2-proxy-sonarqube.yaml", "services/quality/sonarqube-deployment.yaml", "services/quality/sonarqube-exporter-deployment.yaml", "services/sui-metrics/base/deployment.yaml", "services/sui-metrics/overlays/atlas/patch-node-selector.yaml", "services/typhon/deployment.yaml", "services/typhon/vault-sync-deployment.yaml", "services/vault/k8s-auth-config-cronjob.yaml", "services/vault/oidc-config-cronjob.yaml", "services/vaultwarden/deployment.yaml" ] }, { "id": "KSV-0121", "targets": [ "services/logging/node-image-gc-rpi4-daemonset.yaml", "services/logging/node-image-prune-rpi5-daemonset.yaml", "services/logging/node-log-rotation-daemonset.yaml", "services/maintenance/disable-k3s-traefik-daemonset.yaml", "services/maintenance/image-sweeper-cronjob.yaml", "services/maintenance/metis-deployment.yaml", "services/maintenance/node-image-sweeper-daemonset.yaml", "services/maintenance/node-nofile-daemonset.yaml", "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml" ] } ] }