search

controlplaneio / kubesec

Security risk analysis for Kubernetes resources
https://kubesec.io
Apache License 2.0
1.22k stars 103 forks source link

.spec.hostAliases not recognized in deployment #47

Closed d47zm3 closed 5 years ago

d47zm3 commented 5 years ago

Despite of having hostAliases specified, kubesec reports it's as missing, here's YAML and result of POST to kubesec.io

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: "stage-release-name"
  labels:
    chart: "stage-release-name"
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
    container.apparmor.security.beta.kubernetes.io/components: runtime/default
spec:
  replicas: 2
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: "stage-release-name"
      annotations:
        checksum/config: b1cf7597ae2790dd889ef159dada9f7224896753a0a53399fd6fbb695b402ca9
    spec:
      automountServiceAccountToken: false
      hostAliases:
      - ip: "127.0.0.1"
        hostnames:
        - "localhost"
      serviceAccountName: "default"
      containers:
        - name: components
          image: "eu.gcr.io/project/components:13a44d56811f67e1709775ea987838eb257b3163"
          imagePullPolicy: Always
          ports:
          - name: nginx-port
            containerPort: 8080
            protocol: TCP
          volumeMounts:
          - name: nginx-config
            mountPath: /etc/nginx/conf.d/default.conf
            subPath: default.conf
          - name: nginx-config
            mountPath: /etc/nginx/nginx.conf
            subPath: nginx.conf
          - name: nginx-temporary
            mountPath: /tmp
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 10m
              memory: 10Mi
          readinessProbe:
            httpGet:
              path: /
              port: nginx-port
            initialDelaySeconds: 10
            timeoutSeconds: 2
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /
              port: nginx-port
            initialDelaySeconds: 15
            timeoutSeconds: 2
            periodSeconds: 15
            successThreshold: 1
            failureThreshold: 2
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsUser: 10001
            runAsNonRoot: true
      volumes:
      - name: nginx-config
        configMap:
          name: "stage-release-name-nginx-configmap"
      - name: nginx-temporary
        emptyDir: {}

Result:

curl -sSX POST --data-binary @"error.yaml" https://v2.kubesec.io/scan

[
  {
    "object": "Deployment/stage-release-name.default",
    "valid": true,
    "message": "Passed with a score of 13 points",
    "score": 13,
    "scoring": {
      "critical": [
        {
          "selector": ".spec .hostAliases",
          "reason": "Managing /etc/hosts aliases can prevent the container from modifying the file after a pod's containers have already been started. DNS should be managed by the orchestrator"
        }
      ]
    }
  }
]

Kubeval reports valid deployment as well

kubeval error.yaml
The document error.yaml contains a valid Deployment
sublimino commented 5 years ago

Hi @d47zm3! The critical section of the scoring is to show negative points.

The advisory section contains recommendations.

To make it clearer we may introduce the points given for a particular entry in future.

So in your example the selector is matched, kubesec deducts some points, and provides a reason in the output.

Does that make sense? Would anything make this clearer? The wording in the reason is perhaps not the best here.

d47zm3 commented 5 years ago

Well I get what you're saying, but the thing is, kubesec don't give me points when it should (cause hostAliases is there). Funny thing is I tested kubesec using docker image with tag being some commit/build and it scored 15 (so all checks passed), but using newest build/web api it gives me score 13 complaining about missing hostAliases (which is there, in manifest!). So I think you got me wrong

stefanprodan commented 5 years ago

Having hostAliases should give you a critical message, use docker.io/kubesec/kubesec:512c5e0

d47zm3 commented 5 years ago

Doh, now I understand, for maximum score it should not be there... I was mistaken by the other image/build (I think I used tag from README), where it didn't gave me points if it wasn't there. Then it's solved, thanks!

stefanprodan commented 5 years ago

@sublimino maybe delete the v2 tag from Docker Hub and remove it from the readme. I think we should be using immutable tags only.

sublimino commented 5 years ago

@sublimino maybe delete the v2 tag from Docker Hub and remove it from the readme. I think we should be using immutable tags only.

Yep @stefanprodan you're right, we should fix the Hub tags -- I haven't fixed up the release process yet though :( Temporary fix is updating the README https://github.com/controlplaneio/kubesec/commit/72f202e6825a373cc0413d0670b4f3ff27753210 but I'll fix the cloudbuild before pushing any more features.

Thanks for your patience @d47zm3!