Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(checks): respect PodSecurityContext for containers #315

Merged
merged 1 commit into from
Jan 16, 2025
Merged

fix(checks): respect PodSecurityContext for containers #315

merged 1 commit into from
Jan 16, 2025

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jan 14, 2025
edited
Loading

Fixes: aquasecurity/trivy#8210

SecurityContext may inherit some fields from PodSecurityContext. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core

Before:

❯ trivy conf test.yaml
2025-01-14T16:15:39+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-14T16:15:43+06:00       INFO    Detected config files   num=1

test.yaml (kubernetes)

Tests: 93 (SUCCESSES: 91, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

AVD-KSV-0020 (LOW): Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsUser' > 10000
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv020
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 test.yaml:15-35
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌   - name: sec-ctx-demo
  16 │     image: busybox:42
  17 │     command: [ "sh", "-c", "sleep 1h" ]
  18 │     volumeMounts:
  19 │     - name: sec-ctx-vol
  20 │       mountPath: /data/demo
  21 │     resources:
  22 │       requests:
  23 └         cpu: 100m
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0021 (LOW): Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsGroup' > 10000
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv021
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 test.yaml:15-35
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌   - name: sec-ctx-demo
  16 │     image: busybox:42
  17 │     command: [ "sh", "-c", "sleep 1h" ]
  18 │     volumeMounts:
  19 │     - name: sec-ctx-vol
  20 │       mountPath: /data/demo
  21 │     resources:
  22 │       requests:
  23 └         cpu: 100m
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

After:

❯ trivy conf --cache-dir cache --checks-bundle-repository localhost:5111/trivy-checks:latest test.yaml
2025-01-14T16:15:55+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-14T16:15:55+06:00       INFO    [misconfig] Need to update the built-in checks
2025-01-14T16:15:55+06:00       INFO    [misconfig] Downloading the built-in checks...
163.59 KiB / 163.59 KiB [---------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-14T16:15:57+06:00       INFO    Detected config files   num=1

nikpivkin
nikpivkin commented Jan 14, 2025
View reviewed changes
lib/kubernetes/security_context.rego
# selector:
# - type: kubernetes
# - type: rbac
package lib.k8s_sec_context
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to create a separate package for some functions, because the kubernetes package defines an object rule that overrides OPA functions with namespace object. I did not change the name of the rule as it is library and used in checks.

nikpivkin
nikpivkin commented Jan 14, 2025
View reviewed changes
checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set_test.rego
@@ -23,7 +23,7 @@ test_pod_context_custom_profile_denied if {
},
}

count(r) == 1
count(r) == 2
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now securityContext inherits podSecurityContext, so both the rules for the pod and the container are triggered here. We can improve this rule in a separate PR for result deduplication.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened the PR

@nikpivkin nikpivkin marked this pull request as ready for review January 14, 2025 10:14
@nikpivkin nikpivkin requested a review from simar7 as a code owner January 14, 2025 10:14
@nikpivkin nikpivkin mentioned this pull request Jan 14, 2025
Merged
@simar7 simar7 added this pull request to the merge queue Jan 16, 2025
Merged via the queue into aquasecurity:main with commit 07db85b Jan 16, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(misconf): Kubernetes Security Check Flagging KSV020 and KSV021 when configured at pod level
2 participants
@nikpivkin @simar7