semgr8ns/semgr8s - Githubissues

Semgrep-based Policy controller for Kubernetes.

Admission controller to use your well-known publicly available or custom Semgrep rules to validate k8s resources before deployment to the cluster.

:hammer_and_wrench: developed by

:zap: powered by

:warning: Semgr8s is in a proof-of-concept state. Do not use in production. Breaking changes, service interruptions, and development flow adjustments are expected.

:point_right: More? Read the docs.

Getting started

Getting started to validate Kubernetes resources against Semgrep rules is only a matter of minutes:

Requirements

git
Kubernetes cluster for testing (e.g. kind, microk8s, or minikube)
kubectl
Helm

Get Code

Installation files are contained within this repository:

git clone https://github.com/semgr8ns/semgr8s.git
cd semgr8s

Configuration & Installation

Semgr8s comes preconfigured with some basic rules. However, configuration can be adjusted to your needs:

Central configuration is maintained in charts/semgr8s/values.yaml.
Configuration aims to provide the most native integration of Semgrep's functionality into Kubernetes. Working knowledge of Kubernetes and the Semgrep documentation should be sufficient to understand the concepts and options being used here.
Remote Semgrep rules, rulesets, repository rules are configured via .application.remoteRules in charts/semgr8s/values.yaml, e.g. set to "r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation" or "p/kubernetes", or "r/yaml.kubernetes" respectively.
Custom Semgrep rules can placed in charts/semgr8s/rules/ and will be auto-mounted into the admission controller.
Semgrep provides online tools to learn and create custom rules.

To deploy the preconfigured admission controller simply run:

helm install semgr8s charts/semgr8s --create-namespace --namespace semgr8ns

output

```bash NAME: semgr8s LAST DEPLOYED: Tue Apr 25 00:16:04 2023 NAMESPACE: semgr8ns STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Successfully installed semgr8s! ```

You can check successful deployment of Semgr8s via:

kubectl get all -n semgr8ns

output

```bash NAME READY STATUS RESTARTS AGE pod/semgr8s-665dbb8756-qhqv6 1/1 Running 0 7s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/semgr8s-service ClusterIP 10.96.135.157 443/TCP 7s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/semgr8s 1/1 1 1 7s NAME DESIRED CURRENT READY AGE replicaset.apps/semgr8s-665dbb8756 1 1 1 7s ```

Once all resources are in READY state, you have successfully installed Semgr8s :rocket:

Testing

Several test resources are provided under tests/demo/. Semgr8s only validates resources in namespaces with label semgr8s/validation=enabled:

kubectl apply -f tests/demo/00_test-namespace.yaml

output

```bash namespace/test-semgr8s created ```

It denies creating pods with non-compliant configuration according to the local rules in charts/semgr8s/rules and .application.remoteRules charts/semgr8s/values.yaml:

kubectl apply -f tests/demo/40_failing-deployment.yaml

output

```bash Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: * rules.test-semgr8s-forbidden-label Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: * yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: * yaml.kubernetes.security.privileged-container.privileged-container Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: * yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod ```

Compliantly configured resources on the other hand are permitted to the cluster:

kubectl apply -f tests/demo/20_passing-deployment.yaml

output

```bash pod/passing-testpod-1 created ```

Cleanup

To remove all resources of the admission controller run:

helm uninstall semgr8s -n semgr8ns
kubectl delete ns semgr8ns

output

```bash release "semgr8s" uninstalled ```

Test resources are deleted via:

kubectl delete -f tests/demo/

output

```bash namespace "test-semgr8s" deleted pod "passing-testpod-1" deleted Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "forbiddenlabel-pod" not found Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-1" not found Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-2" not found Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-3" not found ```

Next steps

Excited about Semgr8s? Here is some next steps:

:books: For more details, checkout the docs, e.g. on Concept or Usage
:writing_hand: To share feedback, reach out via GitHub Discussions
:bug: Report bugs via GitHub Issues