search

stackrox / kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
https://docs.kubelinter.io/
Apache License 2.0
2.92k stars 232 forks source link

[FEATURE_REQUEST] CIS kubernetes benchmark checks for RBAC, secret, and namespace #187

Closed lluan444 closed 2 years ago

lluan444 commented 3 years ago

Description of the problem/feature request A clear and concise description of the problem, or the proposed new feature.

Add four new templates (shown in bold in the table below) and checks for RBAC, secret, and namespace as recommended in CIS Benchmarks for Kubernetes

Section Description Target new kube-linter Template
RBAC
5.1.1 Ensure that the cluster-admin role is only used where required Clusterrolebinding cluster-admin-role-binding
5.1.2 Minimize access to secrets (Manual) Role, Rolebinding, ClusterRole, Clusterrolebing access-to-resources
5.1.3 Minimize wildcard use in Roles and ClusterRoles Role, ClusterRole wildcard-in-rules
5.1.4 Minimize access to create pods (Manual) Role, Rolebinding, ClusterRole, Clusterrolebing access-to-resources
5.1.5 Ensure that default service accounts are not actively used Pod, Deployment, ... service-account
5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual) ServiceAccount service-account
Secret Management
5.4.1 Prefer using secrets as files over secrets as environment variables (Manual) Pod, Deployment, ... read-secret-from-env-var
5.4.2 Consider external secret storage (Manual) (not applicable)
General Polices
5.7.1 Create administrative boundaries between resources using namespaces (Manual) Service, Pod, Deployment, ... use-namespace
5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual) (PSP deprecated)
5.7.3 Apply Security Context to Your Pods and Containers (Manual) Pod, Deployment, ... unsafe-sysctls, unsafe-proc-mount, read-only-root-fs,privilege-escalation-container, privileged, verify-container-capabilities
5.7.4 The default namespace should not be used (Manual) Service, Pod, Deployment, ... use-namespace

Description of the existing behavior vs. expected behavior If applicable, please paste in the existing KubeLinter output along with the input used, and point out which part should be modified (expected output).

% .gobin/kube-linter lint ../gitsecure-k8sbenchmark/opa/input-examples --config config-example3.yaml
KubeLinter 0.2.1-12-gadfb277043-dirty

../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebinding.yaml: (object: <no namespace>/read-secrets-global rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding to "secret-reader" clusterrole that has [get watch list create] access to [secrets] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebindings.yaml: (object: <no namespace>/test-aggregation rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding via aggregationRule to "pod-creator" clusterrole that has [create] access to [pods] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebindings.yaml: (object: <no namespace>/test-aggregation rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding via aggregationRule to "secret-reader" clusterrole that has [get watch list create] access to [secrets] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebindings.yaml: (object: <no namespace>/create-pod-test1 rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding to "pod-creator" clusterrole that has [create] access to [pods] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/clusterroles.yaml: (object: <no namespace>/pod-manager rbac.authorization.k8s.io/v1, Kind=ClusterRole) wildcard "*" in verb specification (check: wildcard-in-rules, remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.)

../gitsecure-k8sbenchmark/opa/input-examples/pod.yaml: (object: <no namespace>/ossc-new /v1, Kind=Pod) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment)

../gitsecure-k8sbenchmark/opa/input-examples/pod.yaml: (object: <no namespace>/test-webserver /v1, Kind=Pod) environment variable "SECRET_USERNAME" in container "test-webserver" uses SecretKeyRef (check: read-secret-from-env-var, remediation: If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for details.)

../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test1/testadminbinding rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [*] access to [*] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test1/testadminbinding rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [*] access to [*] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test3/test-pod-create3 rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [create] access to [pods], [create] access to [deployments] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test3/test-pod-create3 rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [get watch list] access to [secrets] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)

../gitsecure-k8sbenchmark/opa/input-examples/roles.yaml: (object: test1/testadmin rbac.authorization.k8s.io/v1, Kind=Role) wildcard "*" in resource specification (check: wildcard-in-rules, remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.)

../gitsecure-k8sbenchmark/opa/input-examples/roles.yaml: (object: test1/testadmin rbac.authorization.k8s.io/v1, Kind=Role) wildcard "*" in verb specification (check: wildcard-in-rules, remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.)

../gitsecure-k8sbenchmark/opa/input-examples/service.yaml: (object: <no namespace>/hello-app-svc /v1, Kind=Service) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment)

../gitsecure-k8sbenchmark/opa/input-examples/service.yaml: (object: <no namespace>/my-service /v1, Kind=Service) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment)

Error: found 15 lint errors

Additional context Add any other context or screenshots about the feature request here.

janisz commented 2 years ago

Closed by #188