support for new override labels

README.md

@@ -4,6 +4,8 @@
 
 > It is now a requirement for clusters to run Kubernetes >=1.19.
 
+> override labels with unregistered `kubernetes.io` annotations will be deprecated. It'll soon be a requirement to use `kubeaudit.io` instead.
+Refer to this [discussion](https://github.com/Shopify/kubeaudit/issues/457) for additional context.
 
 # kubeaudit :cloud: :lock: :muscle:
 
@@ -292,13 +294,13 @@ The `key` is a combination of the override type (container or pod) and an `overr
 1. **Container overrides**, which override the auditor for that specific container, are formatted as follows:
 
 ```yaml
-container.audit.kubernetes.io/[container name].[override identifier]
+container.kubeaudit.io/[container name].[override identifier]
 ```
 
 2. **Pod overrides**, which override the auditor for all containers within the pod, are formatted as follows:
 
 ```yaml
-audit.kubernetes.io/pod.[override identifier]
+kubeaudit.io/[override identifier]
 ```
 
 If the `value` is set to a non-empty string, it will be displayed in the `info` result as the `OverrideReason`:

auditors/apparmor/apparmor_test.go

@@ -24,6 +24,7 @@ func TestAuditAppArmor(t *testing.T) {
 		{"apparmor-annotation-init-container-missing.yml", []string{AppArmorAnnotationMissing}, true},
 		{"apparmor-disabled.yml", []string{AppArmorDisabled}, true},
 		{"apparmor-disabled-overriden.yml", []string{override.GetOverriddenResultName(AppArmorDisabled)}, true},
+		{"apparmor-disabled-overriden-old-label.yml", []string{override.GetOverriddenResultName(AppArmorDisabled)}, true},
 		{"apparmor-disabled-overriden-multiple.yml", []string{AppArmorAnnotationMissing, override.GetOverriddenResultName(AppArmorDisabled)}, true},
 		// These are invalid manifests so we should only test it in manifest mode as kubernetes will fail to apply it
 		{"apparmor-bad-value.yml", []string{AppArmorBadValue}, false},

auditors/apparmor/fixtures/apparmor-bad-value-override.yml

@@ -6,7 +6,7 @@ metadata:
   annotations:
     container.apparmor.security.beta.kubernetes.io/container: badval
   labels:
-    container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason"
+    container.audit.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason"
 spec:
   containers:
     - name: container

auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.yml

@@ -6,7 +6,7 @@ metadata:
   annotations:
     container.apparmor.security.beta.kubernetes.io/container2: unconfined
   labels:
-    container.audit.kubernetes.io/container2.allow-disabled-apparmor: "SomeReason"
+    container.kubeaudit.io/container2.allow-disabled-apparmor: "SomeReason"
 spec:
   containers:
     - name: container

auditors/apparmor/fixtures/apparmor-disabled-overriden-old-label.yml

@@ -0,0 +1,14 @@
+# this is to test backwards compatibility with old unregistered annotations (kubernetes.io)
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+  namespace: apparmor-disabled-overriden-old-label
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container: unconfined
+  labels:
+    container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason"
+spec:
+  containers:
+    - name: container
+      image: scratch

auditors/apparmor/fixtures/apparmor-disabled-overriden.yml

@@ -1,3 +1,5 @@
+# this tests then new kubeaudit labels for overriding errors (kubeaudit.io)
+
 apiVersion: v1
 kind: Pod
 metadata:
@@ -6,7 +8,7 @@ metadata:
   annotations:
     container.apparmor.security.beta.kubernetes.io/container: unconfined
   labels:
-    container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason"
+    container.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason"
 spec:
   containers:
     - name: container

auditors/asat/fixtures/service-account-token-redundant-override.yml

@@ -8,7 +8,7 @@ spec:
     metadata:
       labels:
         name: replicationcontroller
-        audit.kubernetes.io/pod.allow-automount-service-account-token: "SomeReason"
+        kubeaudit.io/allow-automount-service-account-token: "SomeReason"
     spec:
       automountServiceAccountToken: false
       containers:

auditors/asat/fixtures/service-account-token-true-allowed.yml

@@ -8,7 +8,7 @@ spec:
     metadata:
       labels:
         name: replicationcontroller
-        audit.kubernetes.io/pod.allow-automount-service-account-token: "SomeReason"
+        kubeaudit.io/allow-automount-service-account-token: "SomeReason"
     spec:
       automountServiceAccountToken: true
       containers:

auditors/capabilities/capabilities_test.go

@@ -40,6 +40,11 @@ func TestAuditCapabilities(t *testing.T) {
 			CapabilityShouldDropAll,
 			override.GetOverriddenResultName(CapabilityAdded),
 		}},
+		{"capabilities-some-allowed-multi-containers-mix-old-labels.yml", fixtureDir, []string{
+			CapabilityAdded,
+			CapabilityShouldDropAll,
+			override.GetOverriddenResultName(CapabilityAdded),
+		}},
 	}
 
 	for _, tc := range cases {

auditors/capabilities/fix_test.go

@@ -71,7 +71,7 @@ func TestFixCapabilities(t *testing.T) {
 		},
 		{
 			testName:     "Pod override",
-			overrides:    []string{override.GetPodOverrideLabel(getOverrideLabel("orange"))},
+			overrides:    []string{override.GetOverrideLabel(getOverrideLabel("orange"))},
 			add:          []string{"orange"},
 			expectedAdd:  []string{"orange"},
 			drop:         []string{},

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.yml

@@ -11,10 +11,10 @@ spec:
     metadata:
       labels:
         name: deployment
-        container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason"
-        container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason"
-        container.audit.kubernetes.io/container2.allow-capability-chown: "SomeReason"
-        container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container2.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.yml

@@ -11,10 +11,10 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubernetes.io/pod.allow-capability-chown: "SomeReason"
-        container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason"
-        container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason"
-        container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason"
+        kubeaudit.io/allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-old-labels.yml

@@ -0,0 +1,63 @@
+# this is to test backwards compatibility with old unregistered annotations (kubernetes.io)
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+  namespace: capabilities-some-allowed-multi-containers-mix-old-labels
+spec:
+  selector:
+    matchLabels:
+      name: deployment
+  template:
+    metadata:
+      labels:
+        name: deployment
+        audit.kubernetes.io/pod.allow-capability-chown: "SomeReason"
+        container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason"
+        container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason"
+        container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason"
+    spec:
+      containers:
+        - name: container1
+          image: scratch
+          securityContext:
+            capabilities:
+              add:
+                - SYS_TIME
+                - SYS_MODULE
+              drop:
+                - AUDIT_WRITE
+                - DAC_OVERRIDE
+                - FOWNER
+                - FSETID
+                - KILL
+                - MKNOD
+                - NET_BIND_SERVICE
+                - NET_RAW
+                - SETFCAP
+                - SETGID
+                - SETUID
+                - SETPCAP
+                - SYS_CHROOT
+        - name: container2
+          image: scratch
+          securityContext:
+            capabilities:
+              add:
+                - SYS_TIME
+                - SYS_MODULE
+              drop:
+                - AUDIT_WRITE
+                - DAC_OVERRIDE
+                - FOWNER
+                - FSETID
+                - KILL
+                - MKNOD
+                - NET_BIND_SERVICE
+                - NET_RAW
+                - SETFCAP
+                - SETGID
+                - SETUID
+                - SETPCAP
+                - SYS_CHROOT

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.yml

@@ -11,8 +11,8 @@ spec:
     metadata:
       labels:
         name: deployment
-        container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason"
-        container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/capabilities/fixtures/capabilities-some-allowed.yml

@@ -11,8 +11,8 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubernetes.io/pod.allow-capability-chown: "SomeReason"
-        audit.kubernetes.io/pod.allow-capability-sys-time: "SomeReason"
+        kubeaudit.io/allow-capability-chown: "SomeReason"
+        kubeaudit.io/allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container

auditors/hostns/fixtures/host-ipc-true-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: host-ipc-true-allowed
   labels:
-    audit.kubernetes.io/pod.allow-namespace-host-IPC: "SomeReason"
+    kubeaudit.io/allow-namespace-host-IPC: "SomeReason"
 spec:
   hostIPC: true
   containers:

auditors/hostns/fixtures/host-network-true-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: host-network-true-allowed
   labels:
-    audit.kubernetes.io/pod.allow-namespace-host-network: "SomeReason"
+    kubeaudit.io/allow-namespace-host-network: "SomeReason"
 spec:
   hostNetwork: true
   containers:

auditors/hostns/fixtures/host-pid-true-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: host-pid-true-allowed
   labels:
-    audit.kubernetes.io/pod.allow-namespace-host-PID: "SomeReason"
+    kubeaudit.io/allow-namespace-host-PID: "SomeReason"
 spec:
   hostPID: true
   containers:

auditors/hostns/fixtures/namespaces-all-true-allowed.yml

@@ -4,9 +4,9 @@ metadata:
   name: pod
   namespace: namespaces-all-true-allowed
   labels:
-    audit.kubernetes.io/pod.allow-namespace-host-network: "SomeReason"
-    audit.kubernetes.io/pod.allow-namespace-host-IPC: "SomeReason"
-    audit.kubernetes.io/pod.allow-namespace-host-PID: "SomeReason"
+    kubeaudit.io/allow-namespace-host-network: "SomeReason"
+    kubeaudit.io/allow-namespace-host-IPC: "SomeReason"
+    kubeaudit.io/allow-namespace-host-PID: "SomeReason"
 spec:
   hostPID: true
   hostIPC: true

auditors/hostns/fixtures/namespaces-redundant-override.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: namespaces-redundant-override
   labels:
-    audit.kubernetes.io/pod.allow-namespace-host-network: "SomeReason"
+    kubeaudit.io/allow-namespace-host-network: "SomeReason"
 spec:
   hostNetwork: false
   containers:

auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.yml

@@ -4,8 +4,8 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubernetes.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
-    container.audit.kubernetes.io/container2.allow-host-path-mount-proc-volume: "SomeReason"
+    container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
+    container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason"
   namespace: proc-mounted-allowed-multi-containers-multi-labels
 spec:
   containers:

auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubernetes.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
+    container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
   namespace: proc-mounted-allowed-multi-containers-single-label
 spec:
   containers:

auditors/mounts/fixtures/proc-mounted-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    audit.kubernetes.io/pod.allow-host-path-mount-proc-volume: "SomeReason"
+    kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason"
   namespace: proc-mounted-allowed
 spec:
   containers:

auditors/netpols/fixtures/namespace-allow-missing-default-deny-ingress-old-label.yml

@@ -0,0 +1,19 @@
+# this is to test backwards compatibility with old unregistered annotations (kubernetes.io)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-allow-missing-default-deny-ingress-old-label
+  labels:
+    audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason"
+---
+# https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: namespace-allow-missing-default-deny-ingress-old-label
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+

auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.yml

@@ -3,7 +3,7 @@ kind: Namespace
 metadata:
   name: namespace-missing-default-deny-egress-netpol-allowed
   labels:
-    audit.kubernetes.io/namespace.allow-non-default-deny-egress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason"
 ---
 # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
 apiVersion: networking.k8s.io/v1

auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.yml

@@ -3,7 +3,7 @@ kind: Namespace
 metadata:
   name: namespace-missing-default-deny-ingress-netpol-allowed
   labels:
-    audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason"
 ---
 # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
 apiVersion: networking.k8s.io/v1

auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.yml

@@ -3,8 +3,8 @@ kind: Namespace
 metadata:
   name: namespace-missing-default-deny-netpol-allowed
   labels:
-    audit.kubernetes.io/namespace.allow-non-default-deny-egress-network-policy: "SomeReason"
-    audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason"
 ---
 # https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md
 kind: NetworkPolicy

auditors/netpols/netpols_test.go

@@ -23,6 +23,7 @@ func TestAuditDefaultDenyNetworkPolicies(t *testing.T) {
 		{"namespace-missing-default-deny-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy)}},
 		{"namespace-missing-default-deny-egress-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyEgressNetworkPolicy)}},
 		{"namespace-missing-default-deny-ingress-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressNetworkPolicy)}},
+		{"namespace-allow-missing-default-deny-ingress-old-label.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressNetworkPolicy)}},
 	}
 
 	for _, tc := range cases {

auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubernetes.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+        kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container

auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml

@@ -4,8 +4,8 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubernetes.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
-    container.audit.kubernetes.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-non-root-psc-false-allowed-multi-containers-multi-labels
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubernetes.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-non-root-psc-false-allowed-multi-containers-single-label
 spec:
   securityContext: