search

Shopify / kubeaudit

kubeaudit helps you audit your Kubernetes clusters against common security controls
MIT License
1.89k stars 183 forks source link

Not finding errors in deployment #523

Open mtcolman opened 1 year ago

mtcolman commented 1 year ago
ISSUE TYPE

BUG REPORT

SUMMARY

I'm testing a deployment.yaml with low/no securityContexts within, and kubeaudit is not reporting any findings.

ENVIRONMENT
STEPS TO REPRODUCE

Use this yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
  labels:
    app.kubernetes.io/name: mysql
    app.kubernetes.io/instance: mysql-abcxzy
    app.kubernetes.io/version: "5.7.21"
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: wordpress
    app.kubernetes.io/managed-by: helm
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-kubernetes
      release: 1.7
  template:
    metadata:
      labels:
        app: hello-kubernetes
        release: 1.7
    spec:
#      securityContext:
#        runAsNonRoot: true
      containers:
      - name: container-one
        image: mytest/container-one:1.5
#        securityContext:
#          runAsNonRoot: true
        ports:
        - containerPort: 8080
      - name: container-two
        image: mytest/container-two:2.2
#        securityContext:
#          runAsNonRoot: true
        ports:
        - containerPort: 9000
EXPECTED RESULTS

I expected a lot of results of missing securityContexts and security related settings

ACTUAL RESULTS
$ kubeaudit all -f "deployment.yaml"
All checks completed. 0 high-risk vulnerabilities found
ADDIITONAL INFO

A similar test with a pod manifest worked as follows:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
#  securityContext:
#    runAsNonRoot: true
  containers:
    - name: container-one
      image: mytest/container-one:1.5
      securityContext:
        runAsNonRoot: true
      ports:
      - containerPort: 8080
    - name: container-two
      image: mytest/container-two:2.2
#      securityContext:
#        runAsNonRoot: true
      ports:
      - containerPort: 9000
$ kubeaudit all -f "pod.yaml"

---------------- Results for ---------------

  apiVersion: v1
  kind: Pod
  metadata:
    name: example-pod

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-one' should be added.
   Metadata:
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-one
      Container: container-one

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-two' should be added.
   Metadata:
      Container: container-two
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-two

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.

-- [error] CapabilityOrSecurityContextMissing
   Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
   Metadata:
      Container: container-one

-- [error] CapabilityOrSecurityContextMissing
   Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
   Metadata:
      Container: container-two

-- [warning] LimitsNotSet
   Message: Resource limits not set.
   Metadata:
      Container: container-one

-- [warning] LimitsNotSet
   Message: Resource limits not set.
   Metadata:
      Container: container-two

-- [error] RunAsNonRootPSCNilCSCNil
   Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
   Metadata:
      Container: container-two

-- [error] AllowPrivilegeEscalationNil
   Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
   Metadata:
      Container: container-one

-- [error] AllowPrivilegeEscalationNil
   Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
   Metadata:
      Container: container-two

-- [warning] PrivilegedNil
   Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
   Metadata:
      Container: container-one

-- [warning] PrivilegedNil
   Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
   Metadata:
      Container: container-two

-- [error] ReadOnlyRootFilesystemNil
   Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
   Metadata:
      Container: container-one

-- [error] ReadOnlyRootFilesystemNil
   Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
   Metadata:
      Container: container-two

-- [error] SeccompProfileMissing
   Message: Pod Seccomp profile is missing. Seccomp profile should be added to the pod SecurityContext.
github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the issue template!

dani-santos-code commented 1 year ago

thank you for the bug report @mtcolman. Will try to reproduce on my end. Are you looking into implementing a fix or should we go ahead and fix it?

mtcolman commented 1 year ago

@dani-santos-code thanks for getting back to me - I've now remembered that the issue was due to the labels:

release: 1.7

Needed to be changed to have quotes:

release: "1.7"

And then it worked:

kubeaudit all -f "deployment.yaml"

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: hello-kubernetes

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-one' should be added.
   Metadata:
      Container: container-one
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-one
...
...

So I think your code needs to handle if key/value pairs are incorrectly configured - i.e. it should realise it can/can't scan and then exit gracefully, rather than telling me there are no issues (when there clearly are some, as it found them when I've corrected a key/value error).

mtcolman commented 1 year ago

And I'd be very grateful if you could please provide the fix (as I don't know how).