search

kubescape / regolibrary

The regolibrary package contains the controls Kubescape uses for detecting misconfigurations in Kubernetes manifests.
Apache License 2.0
121 stars 48 forks source link

C-0004 - Memory Limit Request False-Positive #159

Open dwertent opened 2 years ago

dwertent commented 2 years ago

Copied from here

Kubescape version: v2.0.164

Description: Kubescape will always report a finding for control 0004 on Deployments. I am scanning in an air-gapped environment, with a custom framework and exception file.

Testing: Scanning the following yaml (with Mem limits and requests specified = spec.template.spec.containers[0].resources) - kubescape reports a finding on this control

apiVersion: apps/v1
kind: Deployment
metadata:
  generation: 19
  labels:
    app: dtr-customer-myapp
  name: dtr-customer-myapp
  namespace: dtr-customer
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: dtr-customer-myapp
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: dtr-customer-myapp
    spec:
      containers:
      - envFrom:
        - configMapRef:
            name: dtr-customer-myapp-configmap
        - secretRef:
            name: dtr-customer-myapp-secrets
        image: myrepo.domain.com/cre/dtr-customer-myapp:1.1.1
        imagePullPolicy: IfNotPresent
        name: dtr-customer-myapp
        ports:
        - containerPort: 343
          protocol: TCP
        resources:
          limits:
            cpu: 450m
            memory: "512Mi"
          requests:
            cpu: 100m
            memory: "200Mi"
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: myimagesecret
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      topologySpreadConstraints:
      - labelSelector:
          matchLabels:
            app: dtr-customer-myapp
        maxSkew: 1
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: ScheduleAnyway
> ./kubescape scan framework dtr --use-artifacts-from kubescape-artifacts/ --verbose testing/dtr-deploy.yaml

################################################################################
Source: /opt/testing/deploy.yaml
ApiVersion: apps/v1
Kind: Deployment
Name: dtr-customer-myapp
Namespace: dtr-customer

Controls: 15 (Failed: 3, Excluded: 0)

+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
| SEVERITY |          CONTROL NAME          |                DOCS                |                              ASSISTANT REMEDIATION                              |
+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
| High     | Resources memory limit and     | https://hub.armosec.io/docs/c-0004 | spec.template.spec.containers[0].resources.limits.memory                        |
|          | request                        |                                    |                                                                                 |
+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
| Medium   | Allow privilege escalation     | https://hub.armosec.io/docs/c-0016 | spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false |
+          +--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
|          | Non-root containers            | https://hub.armosec.io/docs/c-0013 | spec.template.spec.securityContext.runAsNonRoot=true                            |
|          |                                |                                    | spec.template.spec.securityContext.allowPrivilegeEscalation=false               |
+----------+--------------------------------+------------------------------------+---------------------------------------------------------------------------------+
matheensyedaslam commented 1 year ago

Any update on this facing same issue

matheensyedaslam commented 1 year ago

Any turn-around?

yuleib commented 1 year ago

hi @matheensyedaslam - we moved this issue for internal review for the R&D team. We will provide a fix for that, i will let you know once this issue will be solved.

matheensyedaslam commented 1 year ago

Any interim fix ?

kooomix commented 1 year ago

hi @matheensyedaslam

Please note this control will also fail if limits is exceeded by custom configurations. See control doc here.

I offer the following steps:

  1. Check your controls input under kubescape-artifacts/.
  2. If you have the limits configured, set the value to empty list and try again.
  3. For best experience, please make sure you have the latest kubescape version installed.

Please let us know if issue is resolved for you.

Eran

yuleib commented 12 months ago

hey @matheensyedaslam , can you please check if @kooomix feedback above assist that ?

matheensyedaslam commented 12 months ago

Still facing same issue I have configured controls-inputs.json with limits and it fails to detect it as mentioned in BUG: https://github.com/kubescape/regolibrary/issues/536 The Issue still exists we can't configure C-004 and C-0050 for threshold detection