search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.74k stars 176 forks source link

securityContext.privileged false positive #275

Closed ghost closed 4 years ago

ghost commented 4 years ago

Which version of kube-score are you using?

kube-score version: 1.7.2, commit: 0da8da32204cc5c18df2e8fe1aff04312e9de01c, built: 2020-07-09T14:21:31Z

What did you do?

Ran kube-score on a deployment manifest. Below are a minimal manifest and a command to reproduce the problem:

---
kind: Deployment
apiVersion: apps/v1
spec:
  template:
    spec:
      containers:
        - name: test
          image: busybox
          securityContext:
            readOnlyRootFilesystem: true
            runAsUser: 10000
            runAsGroup: 10000
kube-score score deployment.yaml \
    --ignore-test deployment-has-poddisruptionbudget \
    --ignore-test deployment-has-host-podantiaffinity \
    --ignore-test pod-networkpolicy \
    --ignore-test container-image-tag \
    --ignore-test container-resources

What did you expect to see?

With the example above, no errors.

What did you see instead?

One error:

apps/v1/Deployment                                                            💥
    [CRITICAL] Container Security Context
        · test -> The container is privileged
            Set securityContext.privileged to false

This is a false positive, as the privileged field defaults to false.

Maybe kube-score considers the fact that it's not specified explicitly an issue. If that's the case, in my opinion it is not made clear at all; plus the statement The container is privileged is incorrect.

zegl commented 4 years ago

@romain-depres Thanks for the great bug report! kube-score does incorrectly treat an unset/null "privileged" configuration as if the container does have privileged access. I'll send a PR to fix this.