Open m-wynn opened 2 weeks ago
@m-wynn Hi, I tested this Checkov Version 3.2.250. The example file you provided above does trigger a number of K8s Policies, not sure if this was different in even earlier version. Anyhow, this is what I'm seeing with 3.2.250:
`checkov -f ckv2_k8s_1.yaml
[ kubernetes framework ]: 100%|████████████████████|[1/1], Current File Scanned=ckv2_k8s_1.yaml
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=ckv2_k8s_1.yaml
[ secrets framework ]: 0%| |[0/1], Current File Scanned=ckv2_k8s_1.yaml
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By Prisma Cloud | version: 3.2.250
Update available 3.2.250 -> 3.2.269
Run pip3 install -U checkov to update
kubernetes scan results:
Passed checks: 5, Failed checks: 1, Skipped checks: 0
Check: CKV_K8S_156: "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests"
PASSED for resource: ClusterRole.default.test
File: /ckv2_k8s_1.yaml:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized
Check: CKV_K8S_158: "Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles"
PASSED for resource: ClusterRole.default.test
File: /ckv2_k8s_1.yaml:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-escalate-roles-or-clusterrole-are-minimized
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
PASSED for resource: ClusterRole.default.test
File: /ckv2_k8s_1.yaml:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized
Check: CKV_K8S_157: "Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings"
PASSED for resource: ClusterRole.default.test
File: /ckv2_k8s_1.yaml:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-bind-rolebindings-or-clusterrolebindings-are-minimized
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
PASSED for resource: ClusterRoleBinding.default.my-cluster-role-binding
File: /ckv2_k8s_1.yaml:14-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.test
File: /ckv2_k8s_1.yaml:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | name: test
6 | rules:
7 | - apiGroups:
8 | - my-custom.api.group
9 | resources:
10 | - "*"
11 | verbs:
12 | - "*"
13 | ---
`
Yes, this passes on the .250 version but not the most recent
Describe the issue CKV2_K8S_1-5 check if ClusterRoleBindings have access to read all secrets, impersonate permissions, set nodes/proxy or pods/exec by checking for wildcards, etc. However, they don't check apiGroups. If you want to give your ServiceAccount . within your API group, that should only trigger CKV_K8S_49 (minimize wildcard use in Roles and ClusterRoles), not these specific rules.
I believe this started on a fairly recent version of Checkov. I saw it on 3.2.257, but I don't remember seeing it on 3.2.250.
Examples
The Prometheus-Adapter Helm Chart also runs into this issue.
Version (please complete the following information):