search

RedHatProductSecurity / rapidast

RapiDAST enables simple, continuous and fully automated application security testing
Apache License 2.0
59 stars 39 forks source link

Issue retrieving results with helm/results.sh #120

Closed sarroutbi closed 1 year ago

sarroutbi commented 1 year ago

Hello. I am trying to perform rapidast execution on OpenShift cluster.

I am using installation through helm, and it works correctly.

However, if I try to extract results, I am getting next error:

$ sh helm/results.sh 
Error from server (Forbidden): error when creating "/tmp/rapiterm-19375": pods "rapiterm-19375" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or 
container "terminal" must set securityContext.runAsNonRoot=true)

If I try to configure securityContext as in this diff:

$ git diff helm/results.sh
diff --git a/helm/results.sh b/helm/results.sh
index a4cb379..1e83e99 100644
--- a/helm/results.sh
+++ b/helm/results.sh
@@ -37,14 +37,28 @@ spec:
         requests:
           cpu: 50m
           memory: 100Mi
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: ["ALL"]
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsNonRoot: true

The pod is started correctly:

$ sh helm/results.sh 
Error from server (Forbidden): error when creating "/tmp/rapiterm-19375": pods "rapiterm-19375" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or 
container "terminal" must set securityContext.runAsNonRoot=true)

However, pod is failing, dumping next logs:

$ oc describe pod rapiterm
...
$ sh helm/results.sh 
Error from server (Forbidden): error when creating "/tmp/rapiterm-19375": pods "rapiterm-19375" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or 
container "terminal" must set securityContext.runAsNonRoot=true)
...

Am I doing something wrong? This seems to be like chicken and egg issue ...

Thanks for your help

jeremychoi commented 1 year ago

Hello,

Just a quick check for now. Did you try "adding '{ "privileged": true}'" to https://github.com/RedHatProductSecurity/rapidast/blob/development/helm/chart/values.yaml#L14? when you created a job? (as stated in helm/README.md)

sarroutbi commented 1 year ago

I will try it and let you know. Thanks for your quick response

sarroutbi commented 1 year ago

It seems that after applying the change, the errors disappear. I have errors in jobs, but that seems to be related to different issue, so I will investigate it and open another issue in case necessary.

Thanks @jeremychoi