search

stackrox / kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
https://docs.kubelinter.io/
Apache License 2.0
2.83k stars 228 forks source link

[FEATURE_REQUEST] Expand `run-as-non-root` template to verify `runAsGroup` field is nonzero. #748

Open ariyonaty opened 4 months ago

ariyonaty commented 4 months ago

Description of the problem/feature request In addition to it being a best security practice for pods to have runAsUser set to a non-zero value, it is also recommended that the GID, determined by either the runtime default security context or the runAsGroup field, is set to a non-zero value.

Would like to propose either creating a new template/check or extend the existing run-as-non-root template to check against the runAsGroup field.

Description of the existing behavior vs. expected behavior Below is a snippet of behavior when runAsUser set to 0. Expected behavior would be along similar lines.

$ ./kube-linter lint ~/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml
KubeLinter 0.6.8

/home/user/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml: (object: <no namespace>/homebrew-demo /v1, Kind=Pod) container "homebrew-test" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

Error: found 1 lint errors

Additional context Not particularly familiar with Go, but would be glad to take a crack at this. Just let me know if there's any particular preference to either extend, or create new template, (or any other helpful suggestions/pointers).

janisz commented 1 month ago

I think it could be added to https://docs.kubelinter.io/#/generated/checks?id=run-as-non-root