search

kubescape / regolibrary

The regolibrary package contains the controls Kubescape uses for detecting misconfigurations in Kubernetes manifests.
Apache License 2.0
119 stars 48 forks source link

Fix privilege escalation and privileged container issues #612

Closed kooomix closed 5 months ago

kooomix commented 5 months ago

User description

Overview

Type

bug_fix, enhancement

Description

Changes walkthrough

Relevant files
Enhancement
raw.rego
Enhance Security by Disabling Privileged Containers and Privilege
Escalation
rules/rule-allow-privilege-escalation/raw.rego
  • Added a fix to also set privileged to false in the security context of
    containers alongside allowPrivilegeEscalation.
  • Modified the structure of fixPath from a single object to an array of
    objects to include the new fix.
  • Adjusted the failed_path and get_fixed_path functions to support the
    updated fixPath structure.
    		• +11/-6   
    Tests
    expected.json
    Update Test Expectations for Privileged Containers Fix     
    rules/rule-allow-privilege-escalation/test/cronjob/expected.json
  • Updated test expectations to include fixes for disabling privileged
    mode in containers.
    		• +13/-2   
    expected.json
    Update Workloads Test Expectations with Security Context Fixes
    rules/rule-allow-privilege-escalation/test/workloads/expected.json
  • Updated test expectations to reflect the new security context fixes
    for workloads.
    		• +6/-1     

    PR-Agent usage: Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    codiumai-pr-agent-free[bot] commented 5 months ago

    PR Description updated to latest commit (https://github.com/kubescape/regolibrary/commit/3f87f91d5064447907b6073315290a28c8eaa6fd)

    codiumai-pr-agent-free[bot] commented 5 months ago

    PR Review

    ⏱️ Estimated effort to review [1-5] 2, because the changes are focused on a specific security enhancement within a Rego policy and its associated test expectations. The modifications are straightforward and localized to a few lines of code, making the review process relatively simple for someone familiar with Rego and security policies.
    🧪 Relevant tests Yes
    🔍 Possible issues Possible Regression: While the addition of disabling `privileged` mode alongside preventing privilege escalation is a significant security enhancement, it's crucial to ensure that this change does not inadvertently break any existing functionalities that might rely on these settings. It would be beneficial to verify this change against a broader set of deployments to ensure no unintended side effects occur.
    🔒 Security concerns No
    ✨ Review tool usage guide:
    **Overview:** The `review` tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be [added](https://pr-agent-docs.codium.ai/tools/review/#general-configurations) by configuring the tool. The tool can be triggered [automatically](https://pr-agent-docs.codium.ai/usage-guide/automations_and_usage/#github-app-automatic-tools-when-a-new-pr-is-opened) every time a new PR is opened, or can be invoked manually by commenting on any PR. - When commenting, to edit [configurations](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml#L23) related to the review tool (`pr_reviewer` section), use the following template: ``` /review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=... ``` - With a [configuration file](https://pr-agent-docs.codium.ai/usage-guide/configuration_options/), use the following template: ``` [pr_reviewer] some_config1=... some_config2=... ``` See the review [usage page](https://pr-agent-docs.codium.ai/tools/review/) for a comprehensive guide on using this tool.
    codiumai-pr-agent-free[bot] commented 5 months ago

    PR Code Suggestions

    CategorySuggestions                                                                                                                                                       
    Maintainability
    Improve array formatting for better readability. ___ **It's recommended to ensure consistent formatting for better readability. In this case,
    align the elements of the fixPath array properly.** [rules/rule-allow-privilege-escalation/raw.rego [84-86]](https://github.com/kubescape/regolibrary/pull/612/files#diff-13e6d2d500bd736926a934b7bc48bc076e22fac2adf9f80147047fbee89b5cdcR84-R86) ```diff -fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, -{"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"} +fixPath = [ + {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, + {"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"} ] ```
    Use descriptive variable names for clarity. ___ **Use a more descriptive variable name than fixPath to clarify its purpose, such as
    securityContextFixes.** [rules/rule-allow-privilege-escalation/raw.rego [84-86]](https://github.com/kubescape/regolibrary/pull/612/files#diff-13e6d2d500bd736926a934b7bc48bc076e22fac2adf9f80147047fbee89b5cdcR84-R86) ```diff -fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, +securityContextFixes = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, {"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"}] ```
    Improve JSON formatting for better readability. ___ **Ensure consistent formatting in JSON files. Properly indent the elements of the fixPaths
    array for better readability.** [rules/rule-allow-privilege-escalation/test/workloads/expected.json [25-33]](https://github.com/kubescape/regolibrary/pull/612/files#diff-9e68697a2e0753e11e100662c0548b907335593049651e58b6863e507de38c4aR25-R33) ```diff -"fixPaths": [{ - "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", - "value": "false" +"fixPaths": [ + { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.template.spec.containers[1].securityContext.privileged", + "value": "false" + } +] - }, - { - "path": "spec.template.spec.containers[1].securityContext.privileged", - "value": "false" - }] - ```
    Best practice
    Remove trailing commas for consistency. ___ **Avoid leaving trailing commas in arrays or objects when the last element is followed by a
    closing bracket or brace to maintain consistency and avoid potential parsing issues in
    some languages or tools.** [rules/rule-allow-privilege-escalation/raw.rego [97-100]](https://github.com/kubescape/regolibrary/pull/612/files#diff-13e6d2d500bd736926a934b7bc48bc076e22fac2adf9f80147047fbee89b5cdcR97-R100) ```diff fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, -{"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"} -] +{"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"}] ```
    Enhancement
    Enhance functions to handle multiple elements in paths. ___ **Ensure that the get_failed_path and get_fixed_path functions handle cases where paths
    might have more than two elements, to avoid ignoring additional paths.** [rules/rule-allow-privilege-escalation/raw.rego [122-124]](https://github.com/kubescape/regolibrary/pull/612/files#diff-13e6d2d500bd736926a934b7bc48bc076e22fac2adf9f80147047fbee89b5cdcR122-R124) ```diff -get_failed_path(paths) = paths[0] { - paths[0] != "" -} else = [] +get_failed_path(paths) = [path | path := paths[_]; path != ""] ```
    ✨ Improve tool usage guide:
    **Overview:** The `improve` tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered [automatically](https://pr-agent-docs.codium.ai/usage-guide/automations_and_usage/#github-app-automatic-tools-when-a-new-pr-is-opened) every time a new PR is opened, or can be invoked manually by commenting on a PR. - When commenting, to edit [configurations](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml#L78) related to the improve tool (`pr_code_suggestions` section), use the following template: ``` /improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=... ``` - With a [configuration file](https://pr-agent-docs.codium.ai/usage-guide/configuration_options/), use the following template: ``` [pr_code_suggestions] some_config1=... some_config2=... ``` See the improve [usage page](https://pr-agent-docs.codium.ai/tools/improve/) for a comprehensive guide on using this tool.
    github-actions[bot] commented 5 months ago

    Summary: