From f7dccc079b3cef7b7fc63c5b6f2fd9e119d50540 Mon Sep 17 00:00:00 2001
From: Robert Brennan <bobby.brennan@gmail.com>
Date: Mon, 23 Dec 2019 19:14:23 +0000
Subject: [PATCH] move more security checks to jsonschema

---
 checks/notReadOnlyRootFileSystem.yaml  | 18 +++++++++++
 checks/privilegeEscalationAllowed.yaml | 15 +++++++++
 checks/runAsPrivileged.yaml            | 15 +++++++++
 pkg/validator/container.go             | 42 +-------------------------
 pkg/validator/schema.go                |  3 ++
 5 files changed, 52 insertions(+), 41 deletions(-)
 create mode 100644 checks/notReadOnlyRootFileSystem.yaml
 create mode 100644 checks/privilegeEscalationAllowed.yaml
 create mode 100644 checks/runAsPrivileged.yaml

diff --git a/checks/notReadOnlyRootFileSystem.yaml b/checks/notReadOnlyRootFileSystem.yaml
new file mode 100644
index 00000000..509bf2e8
--- /dev/null
+++ b/checks/notReadOnlyRootFileSystem.yaml
@@ -0,0 +1,18 @@
+name: NotReadOnlyRootFileSystem
+id: notReadOnlyRootFileSystem
+successMessage: Filesystem is read only
+failureMessage: Filesystem should be read only
+category: Security
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  required:
+  - securityContext
+  properties:
+    securityContext:
+      required:
+      - readOnlyRootFilesystem
+      properties:
+        readOnlyRootFilesystem:
+          const: true
diff --git a/checks/privilegeEscalationAllowed.yaml b/checks/privilegeEscalationAllowed.yaml
new file mode 100644
index 00000000..912db92d
--- /dev/null
+++ b/checks/privilegeEscalationAllowed.yaml
@@ -0,0 +1,15 @@
+name: PrivilegeEscalationAllowed
+id: privilegeEscalationAllowed
+successMessage: Privilege escalation not allowed
+failureMessage: Privilege escalation should not be allowed
+category: Security
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    securityContext:
+      properties:
+        allowPrivilegeEscalation:
+          not:
+            const: true
diff --git a/checks/runAsPrivileged.yaml b/checks/runAsPrivileged.yaml
new file mode 100644
index 00000000..8c9b6ff1
--- /dev/null
+++ b/checks/runAsPrivileged.yaml
@@ -0,0 +1,15 @@
+name: RunAsPrivileged
+id: runAsPrivileged
+successMessage: Not running as privileged
+failureMessage: Should not be running as privileged
+category: Security
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    securityContext:
+      properties:
+        privileged:
+          not:
+            const: true
diff --git a/pkg/validator/container.go b/pkg/validator/container.go
index 7421206c..85beade5 100644
--- a/pkg/validator/container.go
+++ b/pkg/validator/container.go
@@ -155,7 +155,6 @@ func (cv *ContainerValidation) validateResourceRange(id, resourceName string, ra
 }
 
 func (cv *ContainerValidation) validateSecurity(conf *config.Configuration, controllerName string) {
-	category := messages.CategorySecurity
 	securityContext := cv.Container.SecurityContext
 	podSecurityContext := cv.parentPodSpec.SecurityContext
 
@@ -169,37 +168,7 @@ func (cv *ContainerValidation) validateSecurity(conf *config.Configuration, cont
 		podSecurityContext = &corev1.PodSecurityContext{}
 	}
 
-	name := "RunAsPrivileged"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if getBoolValue(securityContext.Privileged) {
-			cv.addFailure(messages.RunAsPrivilegedFailure, conf.Security.RunAsPrivileged, category, id)
-		} else {
-			cv.addSuccess(messages.RunAsPrivilegedSuccess, category, id)
-		}
-	}
-
-	name = "NotReadOnlyRootFileSystem"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if getBoolValue(securityContext.ReadOnlyRootFilesystem) {
-			cv.addSuccess(messages.ReadOnlyFilesystemSuccess, category, id)
-		} else {
-			cv.addFailure(messages.ReadOnlyFilesystemFailure, conf.Security.NotReadOnlyRootFileSystem, category, id)
-		}
-	}
-
-	name = "PrivilegeEscalationAllowed"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if getBoolValue(securityContext.AllowPrivilegeEscalation) {
-			cv.addFailure(messages.PrivilegeEscalationFailure, conf.Security.PrivilegeEscalationAllowed, category, id)
-		} else {
-			cv.addSuccess(messages.PrivilegeEscalationSuccess, category, id)
-		}
-	}
-
-	name = "Capabilities"
+	name := "Capabilities"
 	if conf.IsActionable(conf.Security, name, controllerName) {
 		cv.validateCapabilities(&conf.Security.Capabilities.Warning, &conf.Security.Capabilities.Error)
 	}
@@ -328,12 +297,3 @@ func capContains(list []corev1.Capability, val corev1.Capability) bool {
 
 	return false
 }
-
-// getBoolValue returns false if nil or returns the value of the bool pointer
-func getBoolValue(val *bool) bool {
-	if val == nil {
-		return false
-	}
-
-	return *val
-}
diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go
index 8f92d03b..3e38075d 100644
--- a/pkg/validator/schema.go
+++ b/pkg/validator/schema.go
@@ -60,6 +60,9 @@ var (
 		"tagNotSpecified",
 		"hostPortSet",
 		"runAsRootAllowed",
+		"runAsPrivileged",
+		"notReadOnlyRootFileSystem",
+		"privilegeEscalationAllowed",
 	}
 )