Read-only root file system check broken if the container.security_context not defined

aws-samples / hardeneks

Runs checks to see if an EKS cluster follows EKS Best Practices.

https://aws-samples.github.io/hardeneks/

MIT No Attribution

840 stars 89 forks source link

Read-only root file system check broken if the container.security_context not defined #45

Open alen-caljuksic opened 1 year ago

alen-caljuksic commented 1 year ago

It seems to me pod should be added to an offender list when container.security_context not defined: https://github.com/aws-samples/hardeneks/blob/main/hardeneks/namespace_based/security/pod_security.py#L146

dorukozturk commented 1 year ago

hi, thank you for creating an issue. Can you elaborate a little bit? In the linked scenario if security_context does not have the read_only_root_filesystem attribute it gets added to the list of offenders. Is there a different check that you are looking for?

za commented 2 months ago

Hi @dorukozturk

what if the container doesn't have this parameter?

securityContext:
  readOnlyRootFilesystem: true

I can see, that is not added to offender list, which is wrong. CMIIW.

Maybe this is what @alen-caljuksic meant:

pod should be added to an offender list when container.security_context not defined

It works fine when I have this parameter:

securityContext:
  readOnlyRootFilesystem: false

Screenshot 2024-07-23 170940