Wrong detection of missing SecComp profile (policy: AC_K8S_0080) in K8s YAML file

[fminna]

Hello,

• terrascan version: v1.18.1
• Operating System: macOS Ventura Version 13.4.1

Description

When scanning a YAML file (Helm chart template), using terrascan, I always get the AC_K8S_0080-secCompProfile violated policy. I tried to define the SecComp profile as an annotation in both the resource metadata and template, and in both the resource and container's securityContext, but still get the violation.

What I Did

Terrascan version:

terrascan version
version: v1.18.1

YAML file:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: release-name-mysql
  namespace: test-ns
  labels:
    app.kubernetes.io/name: mysql
    helm.sh/chart: mysql-9.7.1
    app.kubernetes.io/instance: RELEASE-NAME
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: primary
  annotations:
    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
spec:
  replicas: 1
  podManagementPolicy: ''
  selector:
    matchLabels:
      app.kubernetes.io/name: mysql
      app.kubernetes.io/instance: RELEASE-NAME
      app.kubernetes.io/component: primary
  serviceName: release-name-mysql
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/configuration: 273d9244f42efc02f97b257d30cde438681bdbb466f738a1235b15f0fa4fff87
        container.apparmor.security.beta.kubernetes.io/mysql: runtime/default
        seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
      labels:
        app.kubernetes.io/name: mysql
        helm.sh/chart: mysql-9.7.1
        app.kubernetes.io/instance: RELEASE-NAME
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: primary
    spec:
      serviceAccountName: release-name-mysql
      affinity:
        podAffinity: null
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/name: mysql
                  app.kubernetes.io/instance: RELEASE-NAME
              topologyKey: kubernetes.io/hostname
            weight: 1
        nodeAffinity: null
      securityContext:
        fsGroup: 1001
        seccompProfile:
          type: RuntimeDefault
      initContainers: null
      containers:
      - name: mysql
        image: mysql:8-oracle@sha256:47e045b6313ef483654ac47c31e6fdbfc6ecf6b399a65c03859bee2cfbb1621f
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: true
          runAsUser: 1001
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          seccompProfile:
            type: RuntimeDefault

Terrascan command:

terrascan scan -i k8s -f chart_template.yaml

Terrascan output:

Violation Details -

    Description    :    Default seccomp profile not enabled will make the container to make non-essential system calls
    File           :    chart_template.yaml
    Line           :    151
    Severity       :    MEDIUM
    -----------------------------------------------------------------------

Scan Summary -

    File/Folder         :   chart_template.yaml
    IaC Type            :   k8s
    Scanned At          :   2023-07-05 10:23:39.193272 +0000 UTC
    Policies Validated  :   42
    Violated Policies   :   1
    Low                 :   0
    Medium              :   1
    High                :   0

How can I define the seccomp profile for a resource so that the violation disappears? Thank you.

[aakanshaverma1310]

@fminna - I'm also getting same warning

[NathanJAdams]

Same here, it's a bug https://github.com/tenable/terrascan/issues/1604 I'm having to add it as a skipped rule in the config.toml for now