From ef4ea66d49da9802230a3c5af3e7d9664e074fce Mon Sep 17 00:00:00 2001 From: Stevie <4719798+transient1@users.noreply.github.com> Date: Tue, 16 May 2023 16:31:43 -0400 Subject: [PATCH] Update checks documentation (#936) * Update docs with new checks; make sure both config-full has all config.yml checks * Update doc on mutating webhooks --------- Co-authored-by: Robert Brennan --- docs/admission-controller.md | 23 ++++++++++++++++++++++- docs/checks/reliability.md | 3 ++- docs/checks/security.md | 13 +++++++++++++ examples/config-full.yaml | 10 ++++++++-- examples/config.yaml | 1 + 5 files changed, 46 insertions(+), 4 deletions(-) diff --git a/docs/admission-controller.md b/docs/admission-controller.md index b4601ae3..2dc5a858 100644 --- a/docs/admission-controller.md +++ b/docs/admission-controller.md @@ -55,7 +55,28 @@ the deployment. To enable the mutating webhook, add `--set webhook.mutate=true` to your Helm instlallation command. -By default, the only mutation enabled is `pullPolicyNotAlways`. If you'd like to +The following default checks currently have mutation support enabled: +* `hostPIDSet` +* `hostNetworkSet` +* `hostIPCSet` +* `priorityClassNotSet` +* `hostPortSet` +* `pullPolicyNotAlways` +* `deploymentMissingReplicas` +* `dangerousCapabilities` +* `cpuLimitsMissing` +* `memoryLimitsMissing` +* `livenessProbeMissing` +* `memoryRequestsMissing` +* `cpuRequestsMissing` +* `runAsPrivileged` +* `readinessProbeMissing` +* `privilegeEscalationAllowed` +* `notReadOnlyRootFilesystem` +* `insecureCapabilities` +* `runAsRootAllowed` + +If you'd like to enable other mutations, you can set the `webhook.mutations` flag. diff --git a/docs/checks/reliability.md b/docs/checks/reliability.md index 911ee8af..2cdf0feb 100644 --- a/docs/checks/reliability.md +++ b/docs/checks/reliability.md @@ -16,7 +16,8 @@ key | default | description `pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not `always`. `priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod. `deploymentMissingReplicas` | `warning` | Fails when there is only one replica for a deployment. -`missingPodDisruptionBudget` | `ignore` +`missingPodDisruptionBudget` | `ignore` +`metadataAndNameMismatched` | `ignore` `topologySpreadConstraint` | `warning` | Fails when there is no topology spread constraint on the pod ## Background diff --git a/docs/checks/security.md b/docs/checks/security.md index 4696c2d9..86f9a48d 100644 --- a/docs/checks/security.md +++ b/docs/checks/security.md @@ -11,8 +11,10 @@ for privilege escalation. key | default | description ----|---------|------------ +`automountServiceAccountToken` | `warning` | Fails when `automountServiceAccountToken` is automounted. `hostIPCSet` | `danger` | Fails when `hostIPC` attribute is configured. `hostPIDSet` | `danger` | Fails when `hostPID` attribute is configured. +`linuxHardening` | `danger` | Fails when neither `AppArmor`, `Seccomp`, `SELinux`, or dropping Linux Capabilities is in use. `notReadOnlyRootFilesystem` | `warning` | Fails when `securityContext.readOnlyRootFilesystem` is not true. `privilegeEscalationAllowed` | `danger` | Fails when `securityContext.allowPrivilegeEscalation` is true. `runAsRootAllowed` | `warning` | Fails when `securityContext.runAsNonRoot` is not true. @@ -22,6 +24,17 @@ key | default | description `hostNetworkSet` | `warning` | Fails when `hostNetwork` attribute is configured. `hostPortSet` | `warning` | Fails when `hostPort` attribute is configured. `tlsSettingsMissing` | `warning` | Fails when an Ingress lacks TLS settings. +`sensitiveContainerEnvVar` | `warning` | Fails when the container sets potentially sensitive environment variables. +`sensitiveConfigmapContent` | `warning` | Fails when potentially sensitive content is detected in the ConfigMap keys or values. +`missingNetworkPolicy` | `ignore` +`clusterrolePodExecAttach` | `warning` | Fails when the ClusterRole allows Pods/exec or pods/attach. +`rolePodExecAttach` | `warning` | Fails when the Role allows Pods/exec or pods/attach. +`clusterrolebindingPodExecAttach` | `warning` | Fails when the ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist. +`rolebindingRolePodExecAttach` | `warning` | Fails when the RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist. +`rolebindingClusterRolePodExecAttach` | `warning` | Fails when the RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist. +`clusterrolebindingClusterAdmin` | `warning` | Fails when the ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions. +`rolebindingClusterAdminClusterRole` | `warning` | Fails when the RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions. +`rolebindingClusterAdminRole` | `warning` | Fails when the RoleBinding references a Role with wildcard permissions. ## Background diff --git a/examples/config-full.yaml b/examples/config-full.yaml index 38a24435..481d4edc 100644 --- a/examples/config-full.yaml +++ b/examples/config-full.yaml @@ -6,17 +6,23 @@ checks: pullPolicyNotAlways: warning readinessProbeMissing: warning livenessProbeMissing: warning + topologySpreadConstraint: warning + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + metadataAndNameMismatched: ignore + # efficiency cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning + # security automountServiceAccountToken: warning hostIPCSet: danger hostPIDSet: danger linuxHardening: danger - missingNetworkPolicy: warning + missingNetworkPolicy: ignore notReadOnlyRootFilesystem: warning privilegeEscalationAllowed: danger runAsRootAllowed: danger @@ -25,6 +31,7 @@ checks: insecureCapabilities: warning hostNetworkSet: danger hostPortSet: warning + tlsSettingsMissing: warning sensitiveContainerEnvVar: danger sensitiveConfigmapContent: danger clusterrolePodExecAttach: danger @@ -39,7 +46,6 @@ checks: resourceLimits: warning imageRegistry: danger - exemptions: - controllerNames: - my-network-controller diff --git a/examples/config.yaml b/examples/config.yaml index dfb35207..f95bfc3e 100644 --- a/examples/config.yaml +++ b/examples/config.yaml @@ -16,6 +16,7 @@ checks: cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning + # security automountServiceAccountToken: ignore hostIPCSet: danger