elastic / cloudbeat

Analyzing Cloud Security Posture
Other
13 stars 43 forks source link

Remove dependency on PSPs, allowing us to bump K8s libraries' versions #2353

Open kubasobon opened 3 months ago

kubasobon commented 3 months ago

Description

Cloudbeat relies on Kubernetes (K8s) libraries that provide PodSecurityPolicy definitions. However, due to PSP deprecation, we are stuck with outdated libraries, preventing us from updating other dependencies and remediating CVEs.

Details

PodSecurityPolicies (PSPs) have been deprecated (K8s v1.21) and removed (K8s v1.25). cloudbeat officially supports K8s v1.23, hence we keep all golang libraries that interact with K8s pinned to v0.28. That is the last version containing PSPs, which were removed in v0.29 and later.

Remediating CVEs often requires a bump of a dependency version, which is prevented by the pinned K8s library version.

The one piece of code blocking the upgrade is the dependency on policyv1beta1.PodSecurityPolicy type definition, used to spawn an Informer to watch for events. See: internal/resources/fetching/fetchers/k8s/kube_fetcher.go

Proposed solution

Check if K8s API serves PSPs. If yes, use Dynamic Informer to watch them without having to provide a full type. If not, do not watch them at all (K8s >=v1.25).

Extra examples:

romulets commented 3 months ago

PSP Code has been removed on https://github.com/elastic/cloudbeat/pull/2356,

If we decide to not implement the PSP's we still need to remove all the commented infra/test code left behind

kubasobon commented 3 months ago

@jeniawhite I believe the affected rules are as follows:

The PR disabled the following:

I believe most of 5.2.x rules (with the exception of 5.2.3) check Pod Security Standards, not PSPs, and only need the Pod definition to evaluate. As for the others, we probably should find out what is the right subset of rules to disable.