move more security checks to jsonschema

checks/notReadOnlyRootFileSystem.yaml

@@ -0,0 +1,18 @@
+name: NotReadOnlyRootFileSystem
+id: notReadOnlyRootFileSystem
+successMessage: Filesystem is read only
+failureMessage: Filesystem should be read only
+category: Security
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  required:
+  - securityContext
+  properties:
+    securityContext:
+      required:
+      - readOnlyRootFilesystem
+      properties:
+        readOnlyRootFilesystem:
+          const: true

checks/privilegeEscalationAllowed.yaml

@@ -0,0 +1,15 @@
+name: PrivilegeEscalationAllowed
+id: privilegeEscalationAllowed
+successMessage: Privilege escalation not allowed
+failureMessage: Privilege escalation should not be allowed
+category: Security
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    securityContext:
+      properties:
+        allowPrivilegeEscalation:
+          not:
+            const: true

checks/runAsPrivileged.yaml

@@ -0,0 +1,15 @@
+name: RunAsPrivileged
+id: runAsPrivileged
+successMessage: Not running as privileged
+failureMessage: Should not be running as privileged
+category: Security
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    securityContext:
+      properties:
+        privileged:
+          not:
+            const: true

pkg/validator/container.go

@@ -155,7 +155,6 @@ func (cv *ContainerValidation) validateResourceRange(id, resourceName string, ra
 }
 
 func (cv *ContainerValidation) validateSecurity(conf *config.Configuration, controllerName string) {
-	category := messages.CategorySecurity
 	securityContext := cv.Container.SecurityContext
 	podSecurityContext := cv.parentPodSpec.SecurityContext
 
@@ -169,37 +168,7 @@ func (cv *ContainerValidation) validateSecurity(conf *config.Configuration, cont
 		podSecurityContext = &corev1.PodSecurityContext{}
 	}
 
-	name := "RunAsPrivileged"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if getBoolValue(securityContext.Privileged) {
-			cv.addFailure(messages.RunAsPrivilegedFailure, conf.Security.RunAsPrivileged, category, id)
-		} else {
-			cv.addSuccess(messages.RunAsPrivilegedSuccess, category, id)
-		}
-	}
-
-	name = "NotReadOnlyRootFileSystem"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if getBoolValue(securityContext.ReadOnlyRootFilesystem) {
-			cv.addSuccess(messages.ReadOnlyFilesystemSuccess, category, id)
-		} else {
-			cv.addFailure(messages.ReadOnlyFilesystemFailure, conf.Security.NotReadOnlyRootFileSystem, category, id)
-		}
-	}
-
-	name = "PrivilegeEscalationAllowed"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if getBoolValue(securityContext.AllowPrivilegeEscalation) {
-			cv.addFailure(messages.PrivilegeEscalationFailure, conf.Security.PrivilegeEscalationAllowed, category, id)
-		} else {
-			cv.addSuccess(messages.PrivilegeEscalationSuccess, category, id)
-		}
-	}
-
-	name = "Capabilities"
+	name := "Capabilities"
 	if conf.IsActionable(conf.Security, name, controllerName) {
 		cv.validateCapabilities(&conf.Security.Capabilities.Warning, &conf.Security.Capabilities.Error)
 	}
@@ -328,12 +297,3 @@ func capContains(list []corev1.Capability, val corev1.Capability) bool {
 
 	return false
 }
-
-// getBoolValue returns false if nil or returns the value of the bool pointer
-func getBoolValue(val *bool) bool {
-	if val == nil {
-		return false
-	}
-
-	return *val
-}

pkg/validator/schema.go

@@ -60,6 +60,9 @@ var (
 		"tagNotSpecified",
 		"hostPortSet",
 		"runAsRootAllowed",
+		"runAsPrivileged",
+		"notReadOnlyRootFileSystem",
+		"privilegeEscalationAllowed",
 	}
 )