Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

Kubeaudit seems to ignore cluster and namespace default PSP #326

Closed
1 task
dmitry-irtegov opened this issue Feb 10, 2021 · 1 comment
Closed
1 task

Kubeaudit seems to ignore cluster and namespace default PSP #326

dmitry-irtegov opened this issue Feb 10, 2021 · 1 comment

Comments

@dmitry-irtegov
Copy link

ISSUE TYPE
  • [*] Bug Report
  • Feature Idea

BUG REPORT

SUMMARY

I try to run kubeaudit on the cluster with restricted cluster-level default PSP.

Because cluster default is restricted, many pods do not have explicit security context settings.
Kubeaudit complains that these pods are privileged.

ENVIRONMENT
  • Kubeaudit version: 0.12.0
  • Kubeaudit install method: Binary
STEPS TO REPRODUCE

Deploy cluster-level default PSP like this:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  volumes:
    - '*'
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

Deploy Grafana helm chart.
Run kubeaudit all

EXPECTED RESULTS

Kubeaudit notices cluster-default PSP and understands that Grafana pods are not privileged (yes, some other settings in this PSP are not secure by kubeaudit standards).

ACTUAL RESULTS

Kubeaudit complains that Grafana runs privileged.
@genevieveluyt
Copy link
Contributor

Hey @dmitry-irtegov, kubeaudit doesn't support PSPs and we don't plan on adding support since PSPs are deprecated (kubernetes/kubernetes#97171)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@genevieveluyt @dmitry-irtegov