From c16aac808f67a646c44ef4f8ce14dcb81ff92fd7 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Thu, 11 Feb 2021 17:11:16 -0500 Subject: [PATCH] fix checks for k8s defaults (#496) * fix insecure caps check * add more tests * fix privilege escalation allowed --- checks/insecureCapabilities.yaml | 58 ++++++++++++++----- checks/privilegeEscalationAllowed.yaml | 7 ++- pkg/validator/container_test.go | 16 ++--- .../failure.drop-most.yaml | 29 ++++++++++ test/checks/insecureCapabilities/failure.yaml | 10 ++++ .../insecureCapabilities/success.drop.yaml | 14 +++++ test/checks/insecureCapabilities/success.yaml | 29 ++++++++++ .../failure.unspecified.yaml | 10 ++++ .../privilegeEscalationAllowed/failure.yaml | 13 +++++ .../privilegeEscalationAllowed/success.yaml | 12 ++++ 10 files changed, 172 insertions(+), 26 deletions(-) create mode 100644 test/checks/insecureCapabilities/failure.drop-most.yaml create mode 100644 test/checks/insecureCapabilities/failure.yaml create mode 100644 test/checks/insecureCapabilities/success.drop.yaml create mode 100644 test/checks/insecureCapabilities/success.yaml create mode 100644 test/checks/privilegeEscalationAllowed/failure.unspecified.yaml create mode 100644 test/checks/privilegeEscalationAllowed/failure.yaml create mode 100644 test/checks/privilegeEscalationAllowed/success.yaml diff --git a/checks/insecureCapabilities.yaml b/checks/insecureCapabilities.yaml index e5afcfd0..28951f76 100644 --- a/checks/insecureCapabilities.yaml +++ b/checks/insecureCapabilities.yaml @@ -5,27 +5,53 @@ target: Container schema: '$schema': http://json-schema.org/draft-07/schema type: object + required: + - securityContext properties: securityContext: type: object + required: + - capabilities properties: capabilities: type: object + required: + - drop properties: - add: - enum: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE + drop: + type: array + oneOf: + - contains: + const: ALL + - allOf: + - contains: + const: NET_ADMIN + - contains: + const: CHOWN + - contains: + const: DAC_OVERRIDE + - contains: + const: FSETID + - contains: + const: FOWNER + - contains: + const: MKNOD + - contains: + const: NET_RAW + - contains: + const: SETGID + - contains: + const: SETUID + - contains: + const: SETFCAP + - contains: + const: SETPCAP + - contains: + const: NET_BIND_SERVICE + - contains: + const: SYS_CHROOT + - contains: + const: KILL + - contains: + const: AUDIT_WRITE diff --git a/checks/privilegeEscalationAllowed.yaml b/checks/privilegeEscalationAllowed.yaml index 6db1f836..5c72a35a 100644 --- a/checks/privilegeEscalationAllowed.yaml +++ b/checks/privilegeEscalationAllowed.yaml @@ -5,9 +5,12 @@ target: Container schema: '$schema': http://json-schema.org/draft-07/schema type: object + required: + - securityContext properties: securityContext: + required: + - allowPrivilegeEscalation properties: allowPrivilegeEscalation: - not: - const: true + const: false diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index f455ebc7..1de7d77c 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -555,14 +555,14 @@ func TestValidateSecurity(t *testing.T) { Category: "Security", }, { ID: "privilegeEscalationAllowed", - Message: "Privilege escalation not allowed", - Success: true, + Message: "Privilege escalation should not be allowed", + Success: false, Severity: "danger", Category: "Security", }, { ID: "insecureCapabilities", - Message: "Container does not have any insecure capabilities", - Success: true, + Message: "Container should not have insecure capabilities", + Success: false, Severity: "warning", Category: "Security", }, { @@ -739,8 +739,8 @@ func TestValidateSecurity(t *testing.T) { Category: "Security", }, { ID: "insecureCapabilities", - Message: "Container does not have any insecure capabilities", - Success: true, + Message: "Container should not have insecure capabilities", + Success: false, Severity: "warning", Category: "Security", }}, @@ -758,8 +758,8 @@ func TestValidateSecurity(t *testing.T) { Category: "Security", }, { ID: "insecureCapabilities", - Message: "Container does not have any insecure capabilities", - Success: true, + Message: "Container should not have insecure capabilities", + Success: false, Severity: "danger", Category: "Security", }, { diff --git a/test/checks/insecureCapabilities/failure.drop-most.yaml b/test/checks/insecureCapabilities/failure.drop-most.yaml new file mode 100644 index 00000000..99d50eb2 --- /dev/null +++ b/test/checks/insecureCapabilities/failure.drop-most.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + drop: + - NET_ADMIN + - CHOWN + - DAC_OVERRIDE + - FSETID + - FOWNER + - MKNOD + - NET_RAW + - SETGID + - SETUID + - SETFCAP + - SETPCAP + - NET_BIND_SERVICE + - SYS_CHROOT + - KILL + + diff --git a/test/checks/insecureCapabilities/failure.yaml b/test/checks/insecureCapabilities/failure.yaml new file mode 100644 index 00000000..6996877c --- /dev/null +++ b/test/checks/insecureCapabilities/failure.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx diff --git a/test/checks/insecureCapabilities/success.drop.yaml b/test/checks/insecureCapabilities/success.drop.yaml new file mode 100644 index 00000000..20d062ea --- /dev/null +++ b/test/checks/insecureCapabilities/success.drop.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + drop: + - ALL diff --git a/test/checks/insecureCapabilities/success.yaml b/test/checks/insecureCapabilities/success.yaml new file mode 100644 index 00000000..0758d8b5 --- /dev/null +++ b/test/checks/insecureCapabilities/success.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + drop: + - NET_ADMIN + - CHOWN + - DAC_OVERRIDE + - FSETID + - FOWNER + - MKNOD + - NET_RAW + - SETGID + - SETUID + - SETFCAP + - SETPCAP + - NET_BIND_SERVICE + - SYS_CHROOT + - KILL + - AUDIT_WRITE + diff --git a/test/checks/privilegeEscalationAllowed/failure.unspecified.yaml b/test/checks/privilegeEscalationAllowed/failure.unspecified.yaml new file mode 100644 index 00000000..6996877c --- /dev/null +++ b/test/checks/privilegeEscalationAllowed/failure.unspecified.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx diff --git a/test/checks/privilegeEscalationAllowed/failure.yaml b/test/checks/privilegeEscalationAllowed/failure.yaml new file mode 100644 index 00000000..aa3fa34e --- /dev/null +++ b/test/checks/privilegeEscalationAllowed/failure.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true + diff --git a/test/checks/privilegeEscalationAllowed/success.yaml b/test/checks/privilegeEscalationAllowed/success.yaml new file mode 100644 index 00000000..9d48513b --- /dev/null +++ b/test/checks/privilegeEscalationAllowed/success.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: false