diff --git a/README.md b/README.md index 31cf801a..a4580701 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ > It is now a requirement for clusters to run Kubernetes >=1.19. +> override labels with unregistered `kubernetes.io` annotations will be deprecated. It'll soon be a requirement to use `kubeaudit.io` instead. +Refer to this [discussion](https://github.com/Shopify/kubeaudit/issues/457) for additional context. # kubeaudit :cloud: :lock: :muscle: @@ -292,13 +294,13 @@ The `key` is a combination of the override type (container or pod) and an `overr 1. **Container overrides**, which override the auditor for that specific container, are formatted as follows: ```yaml -container.audit.kubernetes.io/[container name].[override identifier] +container.kubeaudit.io/[container name].[override identifier] ``` 2. **Pod overrides**, which override the auditor for all containers within the pod, are formatted as follows: ```yaml -audit.kubernetes.io/pod.[override identifier] +kubeaudit.io/[override identifier] ``` If the `value` is set to a non-empty string, it will be displayed in the `info` result as the `OverrideReason`: diff --git a/auditors/apparmor/apparmor_test.go b/auditors/apparmor/apparmor_test.go index b02e9791..a8862971 100644 --- a/auditors/apparmor/apparmor_test.go +++ b/auditors/apparmor/apparmor_test.go @@ -24,6 +24,7 @@ func TestAuditAppArmor(t *testing.T) { {"apparmor-annotation-init-container-missing.yml", []string{AppArmorAnnotationMissing}, true}, {"apparmor-disabled.yml", []string{AppArmorDisabled}, true}, {"apparmor-disabled-overriden.yml", []string{override.GetOverriddenResultName(AppArmorDisabled)}, true}, + {"apparmor-disabled-overriden-old-label.yml", []string{override.GetOverriddenResultName(AppArmorDisabled)}, true}, {"apparmor-disabled-overriden-multiple.yml", []string{AppArmorAnnotationMissing, override.GetOverriddenResultName(AppArmorDisabled)}, true}, // These are invalid manifests so we should only test it in manifest mode as kubernetes will fail to apply it {"apparmor-bad-value.yml", []string{AppArmorBadValue}, false}, diff --git a/auditors/apparmor/fixtures/apparmor-bad-value-override.yml b/auditors/apparmor/fixtures/apparmor-bad-value-override.yml index 1df0cdff..beb4c514 100644 --- a/auditors/apparmor/fixtures/apparmor-bad-value-override.yml +++ b/auditors/apparmor/fixtures/apparmor-bad-value-override.yml @@ -6,7 +6,7 @@ metadata: annotations: container.apparmor.security.beta.kubernetes.io/container: badval labels: - container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason" + container.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container diff --git a/auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.yml b/auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.yml index fe0496ff..ed6f0065 100644 --- a/auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.yml +++ b/auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.yml @@ -6,7 +6,7 @@ metadata: annotations: container.apparmor.security.beta.kubernetes.io/container2: unconfined labels: - container.audit.kubernetes.io/container2.allow-disabled-apparmor: "SomeReason" + container.kubeaudit.io/container2.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container diff --git a/auditors/apparmor/fixtures/apparmor-disabled-overriden-old-label.yml b/auditors/apparmor/fixtures/apparmor-disabled-overriden-old-label.yml new file mode 100644 index 00000000..5546c890 --- /dev/null +++ b/auditors/apparmor/fixtures/apparmor-disabled-overriden-old-label.yml @@ -0,0 +1,14 @@ +# this is to test backwards compatibility with old unregistered annotations (kubernetes.io) +apiVersion: v1 +kind: Pod +metadata: + name: pod + namespace: apparmor-disabled-overriden-old-label + annotations: + container.apparmor.security.beta.kubernetes.io/container: unconfined + labels: + container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason" +spec: + containers: + - name: container + image: scratch diff --git a/auditors/apparmor/fixtures/apparmor-disabled-overriden.yml b/auditors/apparmor/fixtures/apparmor-disabled-overriden.yml index 6afdb01c..4801afb4 100644 --- a/auditors/apparmor/fixtures/apparmor-disabled-overriden.yml +++ b/auditors/apparmor/fixtures/apparmor-disabled-overriden.yml @@ -1,3 +1,5 @@ +# this tests then new kubeaudit labels for overriding errors (kubeaudit.io) + apiVersion: v1 kind: Pod metadata: @@ -6,7 +8,7 @@ metadata: annotations: container.apparmor.security.beta.kubernetes.io/container: unconfined labels: - container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason" + container.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container diff --git a/auditors/asat/fixtures/service-account-token-redundant-override.yml b/auditors/asat/fixtures/service-account-token-redundant-override.yml index 2d885276..65e626af 100644 --- a/auditors/asat/fixtures/service-account-token-redundant-override.yml +++ b/auditors/asat/fixtures/service-account-token-redundant-override.yml @@ -8,7 +8,7 @@ spec: metadata: labels: name: replicationcontroller - audit.kubernetes.io/pod.allow-automount-service-account-token: "SomeReason" + kubeaudit.io/allow-automount-service-account-token: "SomeReason" spec: automountServiceAccountToken: false containers: diff --git a/auditors/asat/fixtures/service-account-token-true-allowed.yml b/auditors/asat/fixtures/service-account-token-true-allowed.yml index 919f5ae4..e8731809 100644 --- a/auditors/asat/fixtures/service-account-token-true-allowed.yml +++ b/auditors/asat/fixtures/service-account-token-true-allowed.yml @@ -8,7 +8,7 @@ spec: metadata: labels: name: replicationcontroller - audit.kubernetes.io/pod.allow-automount-service-account-token: "SomeReason" + kubeaudit.io/allow-automount-service-account-token: "SomeReason" spec: automountServiceAccountToken: true containers: diff --git a/auditors/capabilities/capabilities_test.go b/auditors/capabilities/capabilities_test.go index 6f7aea0f..6c5ec93b 100644 --- a/auditors/capabilities/capabilities_test.go +++ b/auditors/capabilities/capabilities_test.go @@ -40,6 +40,11 @@ func TestAuditCapabilities(t *testing.T) { CapabilityShouldDropAll, override.GetOverriddenResultName(CapabilityAdded), }}, + {"capabilities-some-allowed-multi-containers-mix-old-labels.yml", fixtureDir, []string{ + CapabilityAdded, + CapabilityShouldDropAll, + override.GetOverriddenResultName(CapabilityAdded), + }}, } for _, tc := range cases { diff --git a/auditors/capabilities/fix_test.go b/auditors/capabilities/fix_test.go index 83e64148..63b46cc8 100644 --- a/auditors/capabilities/fix_test.go +++ b/auditors/capabilities/fix_test.go @@ -71,7 +71,7 @@ func TestFixCapabilities(t *testing.T) { }, { testName: "Pod override", - overrides: []string{override.GetPodOverrideLabel(getOverrideLabel("orange"))}, + overrides: []string{override.GetOverrideLabel(getOverrideLabel("orange"))}, add: []string{"orange"}, expectedAdd: []string{"orange"}, drop: []string{}, diff --git a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.yml b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.yml index 7fe2b172..563c3b3a 100644 --- a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.yml +++ b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.yml @@ -11,10 +11,10 @@ spec: metadata: labels: name: deployment - container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason" - container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason" - container.audit.kubernetes.io/container2.allow-capability-chown: "SomeReason" - container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason" + container.kubeaudit.io/container1.allow-capability-chown: "SomeReason" + container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason" + container.kubeaudit.io/container2.allow-capability-chown: "SomeReason" + container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.yml b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.yml index 6ce80cb3..18ff1252 100644 --- a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.yml +++ b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.yml @@ -11,10 +11,10 @@ spec: metadata: labels: name: deployment - audit.kubernetes.io/pod.allow-capability-chown: "SomeReason" - container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason" - container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason" - container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason" + kubeaudit.io/allow-capability-chown: "SomeReason" + container.kubeaudit.io/container1.allow-capability-chown: "SomeReason" + container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason" + container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-old-labels.yml b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-old-labels.yml new file mode 100644 index 00000000..7a6af0af --- /dev/null +++ b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-old-labels.yml @@ -0,0 +1,63 @@ +# this is to test backwards compatibility with old unregistered annotations (kubernetes.io) + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + namespace: capabilities-some-allowed-multi-containers-mix-old-labels +spec: + selector: + matchLabels: + name: deployment + template: + metadata: + labels: + name: deployment + audit.kubernetes.io/pod.allow-capability-chown: "SomeReason" + container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason" + container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason" + container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason" + spec: + containers: + - name: container1 + image: scratch + securityContext: + capabilities: + add: + - SYS_TIME + - SYS_MODULE + drop: + - AUDIT_WRITE + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETUID + - SETPCAP + - SYS_CHROOT + - name: container2 + image: scratch + securityContext: + capabilities: + add: + - SYS_TIME + - SYS_MODULE + drop: + - AUDIT_WRITE + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETUID + - SETPCAP + - SYS_CHROOT diff --git a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.yml b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.yml index 0e6a79a6..34f8f907 100644 --- a/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.yml +++ b/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.yml @@ -11,8 +11,8 @@ spec: metadata: labels: name: deployment - container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason" - container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason" + container.kubeaudit.io/container1.allow-capability-chown: "SomeReason" + container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/capabilities/fixtures/capabilities-some-allowed.yml b/auditors/capabilities/fixtures/capabilities-some-allowed.yml index 7ba20b6b..4fb95b25 100644 --- a/auditors/capabilities/fixtures/capabilities-some-allowed.yml +++ b/auditors/capabilities/fixtures/capabilities-some-allowed.yml @@ -11,8 +11,8 @@ spec: metadata: labels: name: deployment - audit.kubernetes.io/pod.allow-capability-chown: "SomeReason" - audit.kubernetes.io/pod.allow-capability-sys-time: "SomeReason" + kubeaudit.io/allow-capability-chown: "SomeReason" + kubeaudit.io/allow-capability-sys-time: "SomeReason" spec: containers: - name: container diff --git a/auditors/hostns/fixtures/host-ipc-true-allowed.yml b/auditors/hostns/fixtures/host-ipc-true-allowed.yml index 7d3a0aa1..ad367486 100644 --- a/auditors/hostns/fixtures/host-ipc-true-allowed.yml +++ b/auditors/hostns/fixtures/host-ipc-true-allowed.yml @@ -4,7 +4,7 @@ metadata: name: pod namespace: host-ipc-true-allowed labels: - audit.kubernetes.io/pod.allow-namespace-host-IPC: "SomeReason" + kubeaudit.io/allow-namespace-host-IPC: "SomeReason" spec: hostIPC: true containers: diff --git a/auditors/hostns/fixtures/host-network-true-allowed.yml b/auditors/hostns/fixtures/host-network-true-allowed.yml index 38c1a23b..83d342e3 100644 --- a/auditors/hostns/fixtures/host-network-true-allowed.yml +++ b/auditors/hostns/fixtures/host-network-true-allowed.yml @@ -4,7 +4,7 @@ metadata: name: pod namespace: host-network-true-allowed labels: - audit.kubernetes.io/pod.allow-namespace-host-network: "SomeReason" + kubeaudit.io/allow-namespace-host-network: "SomeReason" spec: hostNetwork: true containers: diff --git a/auditors/hostns/fixtures/host-pid-true-allowed.yml b/auditors/hostns/fixtures/host-pid-true-allowed.yml index 0ae5171c..538c8f34 100644 --- a/auditors/hostns/fixtures/host-pid-true-allowed.yml +++ b/auditors/hostns/fixtures/host-pid-true-allowed.yml @@ -4,7 +4,7 @@ metadata: name: pod namespace: host-pid-true-allowed labels: - audit.kubernetes.io/pod.allow-namespace-host-PID: "SomeReason" + kubeaudit.io/allow-namespace-host-PID: "SomeReason" spec: hostPID: true containers: diff --git a/auditors/hostns/fixtures/namespaces-all-true-allowed.yml b/auditors/hostns/fixtures/namespaces-all-true-allowed.yml index 651682f9..041110f2 100644 --- a/auditors/hostns/fixtures/namespaces-all-true-allowed.yml +++ b/auditors/hostns/fixtures/namespaces-all-true-allowed.yml @@ -4,9 +4,9 @@ metadata: name: pod namespace: namespaces-all-true-allowed labels: - audit.kubernetes.io/pod.allow-namespace-host-network: "SomeReason" - audit.kubernetes.io/pod.allow-namespace-host-IPC: "SomeReason" - audit.kubernetes.io/pod.allow-namespace-host-PID: "SomeReason" + kubeaudit.io/allow-namespace-host-network: "SomeReason" + kubeaudit.io/allow-namespace-host-IPC: "SomeReason" + kubeaudit.io/allow-namespace-host-PID: "SomeReason" spec: hostPID: true hostIPC: true diff --git a/auditors/hostns/fixtures/namespaces-redundant-override.yml b/auditors/hostns/fixtures/namespaces-redundant-override.yml index 3491660d..072f27e1 100644 --- a/auditors/hostns/fixtures/namespaces-redundant-override.yml +++ b/auditors/hostns/fixtures/namespaces-redundant-override.yml @@ -4,7 +4,7 @@ metadata: name: pod namespace: namespaces-redundant-override labels: - audit.kubernetes.io/pod.allow-namespace-host-network: "SomeReason" + kubeaudit.io/allow-namespace-host-network: "SomeReason" spec: hostNetwork: false containers: diff --git a/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.yml b/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.yml index 95e517cb..3f5a1d88 100644 --- a/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.yml +++ b/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.yml @@ -4,8 +4,8 @@ metadata: name: pod labels: name: pod - container.audit.kubernetes.io/container1.allow-host-path-mount-proc-volume: "SomeReason" - container.audit.kubernetes.io/container2.allow-host-path-mount-proc-volume: "SomeReason" + container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason" + container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason" namespace: proc-mounted-allowed-multi-containers-multi-labels spec: containers: diff --git a/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.yml b/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.yml index f6a99664..c39fbb2e 100644 --- a/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.yml +++ b/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - container.audit.kubernetes.io/container1.allow-host-path-mount-proc-volume: "SomeReason" + container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason" namespace: proc-mounted-allowed-multi-containers-single-label spec: containers: diff --git a/auditors/mounts/fixtures/proc-mounted-allowed.yml b/auditors/mounts/fixtures/proc-mounted-allowed.yml index 527a93ee..7d9f4315 100644 --- a/auditors/mounts/fixtures/proc-mounted-allowed.yml +++ b/auditors/mounts/fixtures/proc-mounted-allowed.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - audit.kubernetes.io/pod.allow-host-path-mount-proc-volume: "SomeReason" + kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason" namespace: proc-mounted-allowed spec: containers: diff --git a/auditors/netpols/fixtures/namespace-allow-missing-default-deny-ingress-old-label.yml b/auditors/netpols/fixtures/namespace-allow-missing-default-deny-ingress-old-label.yml new file mode 100644 index 00000000..d04a4b54 --- /dev/null +++ b/auditors/netpols/fixtures/namespace-allow-missing-default-deny-ingress-old-label.yml @@ -0,0 +1,19 @@ +# this is to test backwards compatibility with old unregistered annotations (kubernetes.io) +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-allow-missing-default-deny-ingress-old-label + labels: + audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason" +--- +# https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: namespace-allow-missing-default-deny-ingress-old-label +spec: + podSelector: {} + policyTypes: + - Egress + diff --git a/auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.yml b/auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.yml index b3121949..afe72df0 100644 --- a/auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.yml +++ b/auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.yml @@ -3,7 +3,7 @@ kind: Namespace metadata: name: namespace-missing-default-deny-egress-netpol-allowed labels: - audit.kubernetes.io/namespace.allow-non-default-deny-egress-network-policy: "SomeReason" + kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason" --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic apiVersion: networking.k8s.io/v1 diff --git a/auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.yml b/auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.yml index c0282476..f6b0ff6b 100644 --- a/auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.yml +++ b/auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.yml @@ -3,7 +3,7 @@ kind: Namespace metadata: name: namespace-missing-default-deny-ingress-netpol-allowed labels: - audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason" + kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason" --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic apiVersion: networking.k8s.io/v1 diff --git a/auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.yml b/auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.yml index 425d2fbc..d7a08a8d 100644 --- a/auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.yml +++ b/auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.yml @@ -3,8 +3,8 @@ kind: Namespace metadata: name: namespace-missing-default-deny-netpol-allowed labels: - audit.kubernetes.io/namespace.allow-non-default-deny-egress-network-policy: "SomeReason" - audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason" + kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason" + kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason" --- # https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md kind: NetworkPolicy diff --git a/auditors/netpols/netpols_test.go b/auditors/netpols/netpols_test.go index e9af91f9..35898450 100644 --- a/auditors/netpols/netpols_test.go +++ b/auditors/netpols/netpols_test.go @@ -23,6 +23,7 @@ func TestAuditDefaultDenyNetworkPolicies(t *testing.T) { {"namespace-missing-default-deny-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy)}}, {"namespace-missing-default-deny-egress-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyEgressNetworkPolicy)}}, {"namespace-missing-default-deny-ingress-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressNetworkPolicy)}}, + {"namespace-allow-missing-default-deny-ingress-old-label.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressNetworkPolicy)}}, } for _, tc := range cases { diff --git a/auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml b/auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml index a7196754..bf58f889 100644 --- a/auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml +++ b/auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: deployment - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container diff --git a/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml b/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml index d05388ee..ff165fb9 100644 --- a/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml +++ b/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml @@ -4,8 +4,8 @@ metadata: name: pod labels: name: pod - container.audit.kubernetes.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" - container.audit.kubernetes.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-psc-false-allowed-multi-containers-multi-labels spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.yml b/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.yml index d212730d..f98a939d 100644 --- a/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.yml +++ b/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - container.audit.kubernetes.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-psc-false-allowed-multi-containers-single-label spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed.yml b/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed.yml index 3828bcc4..23927c45 100644 --- a/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed.yml +++ b/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-psc-false-allowed spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-non-root-redundant-override-container.yml b/auditors/nonroot/fixtures/run-as-non-root-redundant-override-container.yml index 45f6ad88..8093625b 100644 --- a/auditors/nonroot/fixtures/run-as-non-root-redundant-override-container.yml +++ b/auditors/nonroot/fixtures/run-as-non-root-redundant-override-container.yml @@ -11,7 +11,7 @@ spec: metadata: labels: name: deployment - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container diff --git a/auditors/nonroot/fixtures/run-as-non-root-redundant-override-pod.yml b/auditors/nonroot/fixtures/run-as-non-root-redundant-override-pod.yml index 37ba3183..65474138 100644 --- a/auditors/nonroot/fixtures/run-as-non-root-redundant-override-pod.yml +++ b/auditors/nonroot/fixtures/run-as-non-root-redundant-override-pod.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-redundant-override-pod spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-user-0-allowed.yml b/auditors/nonroot/fixtures/run-as-user-0-allowed.yml index 5a8121c8..2204efa0 100644 --- a/auditors/nonroot/fixtures/run-as-user-0-allowed.yml +++ b/auditors/nonroot/fixtures/run-as-user-0-allowed.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: deployment - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container diff --git a/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-multi-labels.yml b/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-multi-labels.yml index 77611261..9b027747 100644 --- a/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-multi-labels.yml +++ b/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-multi-labels.yml @@ -4,8 +4,8 @@ metadata: name: pod labels: name: pod - container.audit.kubernetes.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" - container.audit.kubernetes.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-psc-0-allowed-multi-containers-multi-labels spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-single-label.yml b/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-single-label.yml index 8464388f..aa2758cf 100644 --- a/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-single-label.yml +++ b/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-single-label.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - container.audit.kubernetes.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-psc-0-allowed-multi-containers-single-label spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-user-psc-0-allowed.yml b/auditors/nonroot/fixtures/run-as-user-psc-0-allowed.yml index 7e2fbb4c..4df24a48 100644 --- a/auditors/nonroot/fixtures/run-as-user-psc-0-allowed.yml +++ b/auditors/nonroot/fixtures/run-as-user-psc-0-allowed.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-psc-0-allowed spec: securityContext: diff --git a/auditors/nonroot/fixtures/run-as-user-redundant-override-container.yml b/auditors/nonroot/fixtures/run-as-user-redundant-override-container.yml index 6687be4b..519d1a11 100644 --- a/auditors/nonroot/fixtures/run-as-user-redundant-override-container.yml +++ b/auditors/nonroot/fixtures/run-as-user-redundant-override-container.yml @@ -11,7 +11,7 @@ spec: metadata: labels: name: deployment - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container diff --git a/auditors/nonroot/fixtures/run-as-user-redundant-override-pod.yml b/auditors/nonroot/fixtures/run-as-user-redundant-override-pod.yml index 0ac7a73a..6c9e167e 100644 --- a/auditors/nonroot/fixtures/run-as-user-redundant-override-pod.yml +++ b/auditors/nonroot/fixtures/run-as-user-redundant-override-pod.yml @@ -4,7 +4,7 @@ metadata: name: pod labels: name: pod - audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-redundant-override-pod spec: securityContext: diff --git a/auditors/privesc/fixtures/allow-privilege-escalation-redundant-override.yml b/auditors/privesc/fixtures/allow-privilege-escalation-redundant-override.yml index 438c2a56..824d633d 100644 --- a/auditors/privesc/fixtures/allow-privilege-escalation-redundant-override.yml +++ b/auditors/privesc/fixtures/allow-privilege-escalation-redundant-override.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: statefulset - audit.kubernetes.io/pod.allow-privilege-escalation: "SuperuserPrivilegesNeeded" + kubeaudit.io/allow-privilege-escalation: "SuperuserPrivilegesNeeded" spec: containers: - name: container diff --git a/auditors/privesc/fixtures/allow-privilege-escalation-true-allowed.yml b/auditors/privesc/fixtures/allow-privilege-escalation-true-allowed.yml index 8d6d2555..54ba8341 100644 --- a/auditors/privesc/fixtures/allow-privilege-escalation-true-allowed.yml +++ b/auditors/privesc/fixtures/allow-privilege-escalation-true-allowed.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: statefulset - audit.kubernetes.io/pod.allow-privilege-escalation: "" + kubeaudit.io/allow-privilege-escalation: "" spec: containers: - name: container diff --git a/auditors/privesc/fixtures/allow-privilege-escalation-true-multi-allowed-multi-containers.yml b/auditors/privesc/fixtures/allow-privilege-escalation-true-multi-allowed-multi-containers.yml index 57b2ccea..e77faec3 100644 --- a/auditors/privesc/fixtures/allow-privilege-escalation-true-multi-allowed-multi-containers.yml +++ b/auditors/privesc/fixtures/allow-privilege-escalation-true-multi-allowed-multi-containers.yml @@ -12,8 +12,8 @@ spec: metadata: labels: name: statefulset - container.audit.kubernetes.io/container1.allow-privilege-escalation: "SuperuserPrivilegesNeeded" - container.audit.kubernetes.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container1.allow-privilege-escalation: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded" spec: containers: - name: container1 diff --git a/auditors/privesc/fixtures/allow-privilege-escalation-true-single-allowed-multi-containers.yml b/auditors/privesc/fixtures/allow-privilege-escalation-true-single-allowed-multi-containers.yml index 69801e2b..95c39731 100644 --- a/auditors/privesc/fixtures/allow-privilege-escalation-true-single-allowed-multi-containers.yml +++ b/auditors/privesc/fixtures/allow-privilege-escalation-true-single-allowed-multi-containers.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: statefulset - container.audit.kubernetes.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded" + container.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded" spec: containers: - name: container1 diff --git a/auditors/privileged/fixtures/privileged-redundant-override.yml b/auditors/privileged/fixtures/privileged-redundant-override.yml index a20a3e9d..c137cd2a 100644 --- a/auditors/privileged/fixtures/privileged-redundant-override.yml +++ b/auditors/privileged/fixtures/privileged-redundant-override.yml @@ -11,7 +11,7 @@ spec: metadata: labels: name: daemonset - audit.kubernetes.io/pod.allow-privileged: "SomeReason" + kubeaudit.io/allow-privileged: "SomeReason" spec: containers: - name: container diff --git a/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml b/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml index 88e12b6e..abbef881 100644 --- a/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml +++ b/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml @@ -12,8 +12,8 @@ spec: metadata: labels: name: daemonset - container.audit.kubernetes.io/container1.allow-privileged: "SomeReason" - container.audit.kubernetes.io/container2.allow-privileged: "SomeReason" + container.kubeaudit.io/container1.allow-privileged: "SomeReason" + container.kubeaudit.io/container2.allow-privileged: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml b/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml index c6d85d15..e976b334 100644 --- a/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml +++ b/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: daemonset - container.audit.kubernetes.io/container2.allow-privileged: "SomeReason" + container.kubeaudit.io/container2.allow-privileged: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/privileged/fixtures/privileged-true-allowed.yml b/auditors/privileged/fixtures/privileged-true-allowed.yml index e48322d2..890cac8e 100644 --- a/auditors/privileged/fixtures/privileged-true-allowed.yml +++ b/auditors/privileged/fixtures/privileged-true-allowed.yml @@ -12,7 +12,7 @@ spec: metadata: labels: name: daemonset - audit.kubernetes.io/pod.allow-privileged: "SomeReason" + kubeaudit.io/allow-privileged: "SomeReason" spec: containers: - name: container diff --git a/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-multi-labels.yml b/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-multi-labels.yml index 191e8fc5..89055488 100644 --- a/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-multi-labels.yml +++ b/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-multi-labels.yml @@ -13,8 +13,8 @@ spec: metadata: labels: name: statefulset - container.audit.kubernetes.io/container1.allow-read-only-root-filesystem-false: "SomeReason" - container.audit.kubernetes.io/container2.allow-read-only-root-filesystem-false: "SomeReason" + container.kubeaudit.io/container1.allow-read-only-root-filesystem-false: "SomeReason" + container.kubeaudit.io/container2.allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-single-label.yml b/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-single-label.yml index 78786557..2c8e94db 100644 --- a/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-single-label.yml +++ b/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-single-label.yml @@ -13,7 +13,7 @@ spec: metadata: labels: name: statefulset - container.audit.kubernetes.io/container1.allow-read-only-root-filesystem-false: "SomeReason" + container.kubeaudit.io/container1.allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container1 diff --git a/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed.yml b/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed.yml index 525ca2cf..9a0dd8ea 100644 --- a/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed.yml +++ b/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed.yml @@ -13,7 +13,7 @@ spec: metadata: labels: name: statefulset - audit.kubernetes.io/pod.allow-read-only-root-filesystem-false: "SomeReason" + kubeaudit.io/allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container diff --git a/auditors/rootfs/fixtures/read-only-root-filesystem-redundant-override.yml b/auditors/rootfs/fixtures/read-only-root-filesystem-redundant-override.yml index 768227a8..9e461bbd 100644 --- a/auditors/rootfs/fixtures/read-only-root-filesystem-redundant-override.yml +++ b/auditors/rootfs/fixtures/read-only-root-filesystem-redundant-override.yml @@ -13,7 +13,7 @@ spec: metadata: labels: name: statefulset - audit.kubernetes.io/pod.allow-read-only-root-filesystem-false: "SomeReason" + kubeaudit.io/allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container diff --git a/cmd/commands/root.go b/cmd/commands/root.go index b9f05d7c..a599baa0 100644 --- a/cmd/commands/root.go +++ b/cmd/commands/root.go @@ -1,6 +1,7 @@ package commands import ( + "fmt" "os" "strings" @@ -11,6 +12,7 @@ import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" + "github.com/Shopify/kubeaudit/internal/color" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/internal/sarif" ) @@ -73,6 +75,8 @@ func runAudit(auditable ...kubeaudit.Auditable) func(cmd *cobra.Command, args [] return func(cmd *cobra.Command, args []string) { report := getReport(auditable...) + fmt.Fprintln(os.Stderr, color.Yellow("\n[WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead.")) + printOptions := []kubeaudit.PrintOption{ kubeaudit.WithMinSeverity(KubeauditLogLevels[strings.ToLower(rootConfig.minSeverity)]), kubeaudit.WithColor(!rootConfig.noColor), diff --git a/docs/auditors/apparmor.md b/docs/auditors/apparmor.md index 5c7a644c..61944d42 100644 --- a/docs/auditors/apparmor.md +++ b/docs/auditors/apparmor.md @@ -86,7 +86,7 @@ Override identifier for the `unconfined` apparmor profile value: `allow-disabled Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].allow-disabled-apparmor: "SomeReason" +container.kubeaudit.io/[container name].allow-disabled-apparmor: "SomeReason" ``` Example of resource with the `unconfined` apparmor profile overridden for a specific container: @@ -99,7 +99,7 @@ spec: annotations: container.apparmor.security.beta.kubernetes.io/myContainer: unconfined labels: - container.audit.kubernetes.io/myContainer.allow-disabled-apparmor: "SomeReason" + container.kubeaudit.io/myContainer.allow-disabled-apparmor: "SomeReason" spec: containers: - name: myContainer diff --git a/docs/auditors/asat.md b/docs/auditors/asat.md index e90aa793..6e75932d 100644 --- a/docs/auditors/asat.md +++ b/docs/auditors/asat.md @@ -1,7 +1,7 @@ # automountServiceAccountToken Auditor (asat) Finds containers that meet either of the following conditions: -1. The deprecated `serviceAccount` field is used +1. The deprecated `serviceAccount` field is used 1. The default service account is automatically mounted ## General Usage @@ -95,7 +95,7 @@ Override identifier: `allow-automount-service-account-token` Only pod overrides are supported: ```yaml -audit.kubernetes.io/pod.allow-automount-service-account-token: "" +kubeaudit.io/allow-automount-service-account-token: "" ``` Example of a resource with `asat` results overridden: @@ -106,7 +106,7 @@ spec: template: metadata: labels: - audit.kubernetes.io/pod.allow-automount-service-account-token: "" + kubeaudit.io/allow-automount-service-account-token: "" spec: automountServiceAccountToken: true containers: diff --git a/docs/auditors/capabilities.md b/docs/auditors/capabilities.md index 75be0d8e..11a5c9a3 100644 --- a/docs/auditors/capabilities.md +++ b/docs/auditors/capabilities.md @@ -89,7 +89,7 @@ $ kubeaudit all --kconfig "config.yaml" -f "manifest.yaml" -------------------------------------------- -- [error] CapabilityAdded - Message: Capability "CHOWN" added. It should be removed from the capability add list. If you need this capability, add an override label such as'container.audit.kubernetes.io/container1.allow-capability-chown: SomeReason'. + Message: Capability "CHOWN" added. It should be removed from the capability add list. If you need this capability, add an override label such as'container.kubeaudit.io/container1.allow-capability-chown: SomeReason'. Metadata: Container: container1 ``` @@ -126,7 +126,7 @@ Here we're only adding 3 capabilities to the add list to be ignored. Since we di -------------------------------------------- -- [error] CapabilityAdded - Message: Capability "NET_ADMIN" added. It should be removed from the capability add list. If you need this capability, add an override label such as 'container.audit.kubernetes.io/container1.allow-capability-net-admin: SomeReason'. + Message: Capability "NET_ADMIN" added. It should be removed from the capability add list. If you need this capability, add an override label such as 'container.kubeaudit.io/container1.allow-capability-net-admin: SomeReason'. Metadata: Container: container1 Capabiliy: NET_ADMIN @@ -193,13 +193,13 @@ For example, the override identifier for the `AUDIT_WRITE` capability would be ` Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].[override identifier]: '' +container.kubeaudit.io/[container name].[override identifier]: '' ``` Pod overrides have the form: ```yaml -audit.kubernetes.io/pod.[override identifier]: '' +kubeaudit.io/[override identifier]: '' ``` Example of a resource with `AUDIT_WRITE` and `DAC_OVERRIDE` capabilities overridden for a specific container: @@ -211,8 +211,8 @@ spec: template: metadata: labels: - container.audit.kubernetes.io/myContainer.allow-capability-audit-write: '' - container.audit.kubernetes.io/myContainer.allow-capability-dac-override: '' + container.kubeaudit.io/myContainer.allow-capability-audit-write: '' + container.kubeaudit.io/myContainer.allow-capability-dac-override: '' spec: containers: - name: myContainer @@ -234,8 +234,8 @@ spec: template: metadata: labels: - audit.kubernetes.io/pod.allow-capability-audit-write: '' - audit.kubernetes.io/pod.allow-capability-dac-override: '' + kubeaudit.io/allow-capability-audit-write: '' + kubeaudit.io/allow-capability-dac-override: '' spec: containers: - name: myContainer diff --git a/docs/auditors/hostns.md b/docs/auditors/hostns.md index c2863020..b436ba30 100644 --- a/docs/auditors/hostns.md +++ b/docs/auditors/hostns.md @@ -74,12 +74,12 @@ Each host namespace field can be individually overridden using their respective Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].[override identifier]: "" +container.kubeaudit.io/[container name].[override identifier]: "" ``` Pod overrides have the form: ```yaml -audit.kubernetes.io/pod.[override identifier]: "" +kubeaudit.io/[override identifier]: "" ``` Example of a resource with `HostPID` overridden for a specific container: @@ -90,7 +90,7 @@ spec: template: metadata: labels: - container.audit.kubernetes.io/myContainer.allow-namespace-host-PID: "" + container.kubeaudit.io/myContainer.allow-namespace-host-PID: "" spec: hostPID: true containers: @@ -105,7 +105,7 @@ spec: template: metadata: labels: - audit.kubernetes.io/pod.allow-namespace-host-PID: "" + kubeaudit.io/allow-namespace-host-PID: "" spec: hostPID: true containers: diff --git a/docs/auditors/mounts.md b/docs/auditors/mounts.md index cf5dd02c..e8332920 100644 --- a/docs/auditors/mounts.md +++ b/docs/auditors/mounts.md @@ -233,7 +233,7 @@ spec: template: #PodTemplateSpec metadata: labels: - container.audit.kubernetes.io/container2.allow-host-path-mount-proc-volume: "SomeReason" + container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason" spec: #PodSpec containers: - name: container1 @@ -258,7 +258,7 @@ spec: template: #PodTemplateSpec metadata: labels: - audit.kubernetes.io/pod.allow-host-path-mount-proc-volume: "SomeReason" + kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason" spec: #PodSpec containers: - name: container1 diff --git a/docs/auditors/netpols.md b/docs/auditors/netpols.md index 78ed1d6f..a8ac4c07 100644 --- a/docs/auditors/netpols.md +++ b/docs/auditors/netpols.md @@ -59,7 +59,7 @@ First, see the [Introduction to Override Errors](/README.md#override-errors). The `netpols` auditor uses a unique override label type not used by any other auditor because the label applies to a namespace (rather than a container or pod): ``` -audit.kubernetes.io/namespace.[override identifier]: "" +kubeaudit.io/[override identifier]: "" ``` Deny-all ingress and egress network policies can be individually overridden using their respective override identifiers: @@ -76,7 +76,7 @@ kind: Namespace metadata: name: "default" labels: - audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "" + kubeaudit.io/allow-non-default-deny-ingress-network-policy: "" ``` ### Override Example @@ -118,14 +118,14 @@ The `netpols` auditor will produce an error because there is no `deny-all` Netwo Namespace: my-namespace ``` -This error can be overridden by adding the `audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: ""` label to the corresponding Namespace resource: +This error can be overridden by adding the `kubeaudit.io/allow-non-default-deny-ingress-network-policy: ""` label to the corresponding Namespace resource: ```yaml apiVersion: v1 kind: Namespace metadata: name: "my-namespace" labels: - audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "" + kubeaudit.io/allow-non-default-deny-ingress-network-policy: "" ``` The auditor will now produce a warning instead of an error: diff --git a/docs/auditors/nonroot.md b/docs/auditors/nonroot.md index f75eb6ac..431190a7 100644 --- a/docs/auditors/nonroot.md +++ b/docs/auditors/nonroot.md @@ -52,7 +52,7 @@ spec: - name: myContainer ``` -Alternatively it's possible to enforce non-root containers by setting `runAsUser` to a non-root UID (>0) in either the PodSecurityContext or container SecurityContext. Conversely, if `runAsUser` is set to `0` in either the PodSecurityContext or container SecurityContext then the container will always run as root and so the audit will fail. +Alternatively it's possible to enforce non-root containers by setting `runAsUser` to a non-root UID (>0) in either the PodSecurityContext or container SecurityContext. Conversely, if `runAsUser` is set to `0` in either the PodSecurityContext or container SecurityContext then the container will always run as root and so the audit will fail. If `runAsUser` is set to a non-root UID (either in PodSecurityContext or container SecurityContext) it won't matter if `runAsNonRoot` is set to `false` or `nil` and so the audit will always pass. @@ -81,12 +81,12 @@ Override identifer: `allow-run-as-root` Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].allow-run-as-root: "" +container.kubeaudit.io/[container name].allow-run-as-root: "" ``` Pod overrides have the form: ```yaml -audit.kubernetes.io/pod.allow-run-as-root: "" +kubeaudit.io/allow-run-as-root: "" ``` Example of resource with `nonroot` overridden for a specific container: @@ -97,7 +97,7 @@ spec: template: #PodTemplateSpec metadata: labels: - container.audit.kubernetes.io/myContainer.allow-run-as-root: "" + container.kubeaudit.io/myContainer.allow-run-as-root: "" spec: #PodSpec securityContext: #PodSecurityContext runAsNonRoot: true @@ -116,7 +116,7 @@ spec: template: #PodTemplateSpec metadata: labels: - audit.kubernetes.io/pod.allow-run-as-root: "" + kubeaudit.io/allow-run-as-root: "" spec: #PodSpec securityContext: #PodSecurityContext runAsNonRoot: true @@ -137,7 +137,7 @@ spec: template: #PodTemplateSpec metadata: labels: - container.audit.kubernetes.io/myContainer.allow-run-as-root: "" + container.kubeaudit.io/myContainer.allow-run-as-root: "" spec: #PodSpec securityContext: #PodSecurityContext runAsUser: 1000 diff --git a/docs/auditors/privesc.md b/docs/auditors/privesc.md index 9477e433..cb00a650 100644 --- a/docs/auditors/privesc.md +++ b/docs/auditors/privesc.md @@ -58,12 +58,12 @@ Override identifier: `allow-privilege-escalation` Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].allow-privilege-escalation: "" +container.kubeaudit.io/[container name].allow-privilege-escalation: "" ``` Pod overrides have the form: ```yaml -audit.kubernetes.io/pod.allow-privilege-escalation: "" +kubeaudit.io/allow-privilege-escalation: "" ``` Example of resource with `privesc` overridden for a specific container: @@ -74,7 +74,7 @@ spec: template: metadata: labels: - container.audit.kubernetes.io/myContainer.allow-privilege-escalation: "" + container.kubeaudit.io/myContainer.allow-privilege-escalation: "" spec: containers: - name: myContainer @@ -90,7 +90,7 @@ spec: template: metadata: labels: - audit.kubernetes.io/pod.allow-privilege-escalation: "" + kubeaudit.io/allow-privilege-escalation: "" spec: containers: - name: myContainer diff --git a/docs/auditors/privileged.md b/docs/auditors/privileged.md index d59b3a82..2bd41f92 100644 --- a/docs/auditors/privileged.md +++ b/docs/auditors/privileged.md @@ -59,12 +59,12 @@ Override identifier: `allow-privileged` Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].allow-privileged: "" +container.kubeaudit.io/[container name].allow-privileged: "" ``` Pod overrides have the form: ```yaml -audit.kubernetes.io/pod.allow-privileged: "" +kubeaudit.io/allow-privileged: "" ``` Example of resource with `privileged` overridden for a specific container: @@ -75,7 +75,7 @@ spec: template: metadata: labels: - container.audit.kubernetes.io/myContainer.allow-privilege-escalation: "" + container.kubeaudit.io/myContainer.allow-privilege-escalation: "" spec: containers: - name: myContainer @@ -91,7 +91,7 @@ spec: template: metadata: labels: - audit.kubernetes.io/pod.allow-privileged: "" + kubeaudit.io/allow-privileged: "" spec: containers: - name: myContainer diff --git a/docs/auditors/rootfs.md b/docs/auditors/rootfs.md index 0de04397..5d1659c7 100644 --- a/docs/auditors/rootfs.md +++ b/docs/auditors/rootfs.md @@ -60,12 +60,12 @@ Override identifier: `allow-read-only-root-filesystem-false` Container overrides have the form: ```yaml -container.audit.kubernetes.io/[container name].allow-read-only-root-filesystem-false: "" +container.kubeaudit.io/[container name].allow-read-only-root-filesystem-false: "" ``` Pod overrides have the form: ```yaml -audit.kubernetes.io/pod.allow-read-only-root-filesystem-false: "" +kubeaudit.io/allow-read-only-root-filesystem-false: "" ``` Example of resource with `rootfs` overridden for a specific container: @@ -76,7 +76,7 @@ spec: template: metadata: labels: - container.audit.kubernetes.io/myContainer.allow-read-only-root-filesystem-false: "" + container.kubeaudit.io/myContainer.allow-read-only-root-filesystem-false: "" spec: containers: - name: myContainer @@ -92,7 +92,7 @@ spec: template: metadata: labels: - audit.kubernetes.io/pod.allow-read-only-root-filesystem-false: "" + kubeaudit.io/allow-read-only-root-filesystem-false: "" spec: containers: - name: myContainer diff --git a/pkg/override/override.go b/pkg/override/override.go index 71824234..06c4ff90 100644 --- a/pkg/override/override.go +++ b/pkg/override/override.go @@ -8,12 +8,22 @@ import ( ) const ( + // TODO: remove deprecated unregistered labels after warning users about the breaking change + + // DeprecatedContainerOverrideLabelPrefix is used to disable an auditor for a specific container + DeprecatedContainerOverrideLabelPrefix = "container.audit.kubernetes.io/" + + // DeprecatedPodOverrideLabelPrefix is used to disable an auditor for a specific pod + DeprecatedPodOverrideLabelPrefix = "audit.kubernetes.io/pod." + + // DeprecatedNamespaceOverrideLabelPrefix is used to disable an auditor for a specific namespace resource + DeprecatedNamespaceOverrideLabelPrefix = "audit.kubernetes.io/namespace." + // ContainerOverrideLabelPrefix is used to disable an auditor for a specific container - ContainerOverrideLabelPrefix = "container.audit.kubernetes.io/" - // PodOverrideLabelPrefix is used to disable an auditor for a specific pod - PodOverrideLabelPrefix = "audit.kubernetes.io/pod." - // NamespaceOverrideLabelPrefix is used to disable an auditor for a specific namespace resource - NamespaceOverrideLabelPrefix = "audit.kubernetes.io/namespace." + ContainerOverrideLabelPrefix = "container.kubeaudit.io/" + + // OverrideLabelPrefix is used to disable an auditor for either a pod or namespace + OverrideLabelPrefix = "kubeaudit.io/" ) // GetOverriddenResultName takes an audit result name and modifies it to indicate that the security issue was @@ -69,13 +79,18 @@ func ApplyOverride(auditResult *kubeaudit.AuditResult, auditorName, containerNam // value of the label which is meant to represent the reason for overriding the auditor // // Container override labels disable the auditor for that specific container and have the following format: -// container.audit.kubernetes.io/[container name].[auditor override label] +// +// container.kubeaudit.io/[container name].[auditor override label] // // If there is no container override label, it calls GetResourceOverrideReason() func GetContainerOverrideReason(containerName string, resource k8s.Resource, overrideLabel string) (hasOverride bool, reason string) { labels := k8s.GetLabels(resource) if containerName != "" { + if reason, hasOverride = labels[GetDeprecatedContainerOverrideLabel(containerName, overrideLabel)]; hasOverride { + return + } + if reason, hasOverride = labels[GetContainerOverrideLabel(containerName, overrideLabel)]; hasOverride { return } @@ -88,13 +103,17 @@ func GetContainerOverrideReason(containerName string, resource k8s.Resource, ove // label which is meant to represent the reason for overriding the auditor // // Pod override labels disable the auditor for the pod and all containers within the pod and have the following format: -// audit.kubernetes.io/pod.[auditor override label] +// +// kubeaudit.io/[auditor override label] +// // Namespace override labels disable the auditor for the namespace resource and have the following format: -// audit.kubernetes.io/namespace.[auditor override label] +// +// kubeaudit.io/[auditor override label] func GetResourceOverrideReason(resource k8s.Resource, auditorOverrideLabel string) (hasOverride bool, reason string) { labelFuncs := []func(overrideLabel string) string{ - GetPodOverrideLabel, - GetNamespaceOverrideLabel, + GetOverrideLabel, + GetDeprecatedPodOverrideLabel, + GetDeprecatedNamespaceOverrideLabel, } labels := k8s.GetLabels(resource) @@ -107,12 +126,21 @@ func GetResourceOverrideReason(resource k8s.Resource, auditorOverrideLabel strin return false, "" } -func GetPodOverrideLabel(overrideLabel string) string { - return PodOverrideLabelPrefix + overrideLabel +// TODO: remove deprecated getters +func GetDeprecatedPodOverrideLabel(overrideLabel string) string { + return DeprecatedPodOverrideLabelPrefix + overrideLabel +} + +func GetDeprecatedNamespaceOverrideLabel(overrideLabel string) string { + return DeprecatedNamespaceOverrideLabelPrefix + overrideLabel +} + +func GetDeprecatedContainerOverrideLabel(containerName, overrideLabel string) string { + return DeprecatedContainerOverrideLabelPrefix + containerName + "." + overrideLabel } -func GetNamespaceOverrideLabel(overrideLabel string) string { - return NamespaceOverrideLabelPrefix + overrideLabel +func GetOverrideLabel(overrideLabel string) string { + return OverrideLabelPrefix + overrideLabel } func GetContainerOverrideLabel(containerName, overrideLabel string) string {