Kubescan show wrong risks in mulit-container Pods

octarinesec / kube-scan

kube-scan: Octarine k8s cluster risk assessment tool

https://www.octarinesec.com/

MIT License

795 stars 101 forks source link

Kubescan show wrong risks in mulit-container Pods #22

Open ayoubeddafali opened 4 years ago

ayoubeddafali commented 4 years ago

Hi, We have a set of microservices deployed, and in each microservice pod we inject a linkerd proxy container alongside the application container for service mesh reasons.

Somehow, for all pods that has the injected linkerd container, kubescan shows wrong risks results.
When uninjecting manually the linkerd container from the pod, kubescan then show the correct risks.

thehh1974 commented 4 years ago

@ayoubeddafali - can you expand on what you mean by "wrong risk results"? The risk score should include any risk introduced by the sidecar.

snahelou commented 4 years ago

Hello

kubescan report also initContainers... It should not imho.

Because my deployment has :

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          runAsNonRoot: true
          runAsUser: 2020

And kube-scan report me

Workload allows privilege escalation
Workload has a container(s) with NET_RAW capability

ayoubeddafali commented 4 years ago

@thehh1974 Thanks for responding. It is totally the inverse, with the sidecar container present, the total risks are less than when it is not.