kubeaudit does not understand PodSecurityContext.seccompProfile

[dmitry-irtegov]

ISSUE TYPE

• Bug Report

BUG REPORT

SUMMARY

In k8s 1.20 was introduced GA syntax for setting seccompProfile:

    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault

When running kubeaudit on pods with this setting, it complains about SeccompAnnotationMissing

ENVIRONMENT

• Kubeaudit version: v0.14.1
• Kubeaudit install method: docker image using "With RBAC" manifest

STEPS TO REPRODUCE

Deploy the kubernetes-dashboard according with https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml, but the daemonset spec modified as follows:

spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - args:
        - --auto-generate-certificates
        - --dashboard-endpoint=https://127.0.0.1:8443
        image: docker.io/kublr/k8s-dashboard-auth-proxy:v1.0
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /
            port: 9443
            scheme: HTTPS
          initialDelaySeconds: 30
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 30
        name: kubernetes-dashboard-auth-proxy
        ports:
        - containerPort: 9443
          protocol: TCP
        resources:
          limits:
            cpu: 50m
            memory: 100Mi
          requests:
            cpu: 5m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsGroup: 2001
          runAsUser: 1001
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /certs
          name: kubernetes-dashboard-certs
        - mountPath: /tmp
          name: tmp-volume
      - args:
        - --auto-generate-certificates
        - --namespace=kubernetes-dashboard
        - --enable-skip-login=true
        image: docker.io/kubernetesui/dashboard:v2.0.4
        imagePullPolicy: Always
        name: kubernetes-dashboard
        ports:
        - containerPort: 8443
          protocol: TCP
        resources:
          limits:
            cpu: 100m
            memory: 512Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsGroup: 2001
          runAsUser: 1001
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /certs
          name: kubernetes-dashboard-certs
        - mountPath: /tmp
          name: tmp-volume
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccount: kubernetes-dashboard
      serviceAccountName: kubernetes-dashboard
      terminationGracePeriodSeconds: 30
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          defaultMode: 420
          secretName: kubernetes-dashboard-certs
      - emptyDir: {}
        name: tmp-volume

Run kubeaudit by applying the following manifest:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubeaudit
  namespace: default

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kubeaudit
rules:
  - apiGroups: [""]
    resources:
      - pods
      - podtemplates
      - replicationcontrollers
      - namespaces
      - serviceaccounts
    verbs: ["list"]
  - apiGroups: ["apps"]
    resources:
      - daemonsets
      - statefulsets
      - deployments
    verbs: ["list"]
  - apiGroups: ["batch"]
    resources:
      - cronjobs
    verbs: ["list"]
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs: ["list"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kubeaudit
subjects:
  - kind: ServiceAccount
    name: kubeaudit
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeaudit

---

apiVersion: batch/v1
kind: Job
metadata:
  name: kubeaudit
  namespace: default
spec:
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/kubeaudit: runtime/default
        seccomp.security.alpha.kubernetes.io/pod: runtime/default
    spec:
      serviceAccountName: kubeaudit
      restartPolicy: OnFailure
      containers:
        - name: kubeaudit
          image: shopify/kubeaudit:v0.14.1
          args: ["all", "--exitcode", "0"]
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["all"]
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true

EXPECTED RESULTS

Kubeaudit complains about AppArmorAnnotationMissing but not about SeccompAnnotationMissing.

ACTUAL RESULTS

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard-auth-proxy' should be added.
   Metadata:
      Container: kubernetes-dashboard-auth-proxy
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard-auth-proxy

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard' should be added.
   Metadata:
      Container: kubernetes-dashboard
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard

-- [error] SeccompAnnotationMissing
   Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
   Metadata:
      MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod

ADDITIONAL INFORMATION

[genevieveluyt]

Hey @dmitry-irtegov , thanks for bringing this up and providing a detailed example! This sounds like something we definitely want to support

[danishprakash]

Hey @genevieveluyt, mind If I take a look at this?

[hottea773]

@danishprakash Did you ever take a look at this?

[Ser87ch]

Hi @genevieveluyt , I'm planning to fix this issue. I'm wondering if I should do a breaking change with kubeaudit to support seccompProfile only in securityContext? Or it's better still to support both annotations and securityContext?
Thanks

[hottea773]

(FWIW the securityContext field was added in k8s 1.19 which was released in August 2020. k8s 1.18 is end of life, and has been for a while, so it would seem fair to me to no longer support it. But I'm just someone interested in this feature 😄.)

[genevieveluyt]

Hey @danishprakash and @Ser87ch , sorry I missed your messages! Been getting too many Dependabot notifications drowning out important ones 😢 . Thank you @Ser87ch for opening a PR, I will take a look!