search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.74k stars 176 forks source link

kube-score/ignore does not work for container-security-context-readonlyrootfilesystem #373

Closed jsalonen closed 3 years ago

jsalonen commented 3 years ago

Which version of kube-score are you using?

kube-score version: v1.10.0 and v1.11.0

What did you do?

Adding kube-score/ignore for container-security-context-readonlyrootfilesystem should allow kube-score to pass on containers that have non-readonly filesystem.

Example template that fails:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: statefulset-test-1
  annotations:
    kube-score/ignore: container-security-context-readonlyrootfilesystem
spec:
  template:
    spec:
      containers:
      - name: foobar
        image: foo:bar
        securityContext:
          readOnlyRootFilesystem: false

What did you expect to see?

I expect the kube-score to pass the validation for readOnlyRootFileSystem due to ignore

The template contains other errors that of course should appear

What did you see instead?

    [CRITICAL] Container Security Context
        · foobar -> The pod has a container with a writable root filesystem
            Set securityContext.readOnlyRootFilesystem to true
zegl commented 3 years ago

container-security-context is currently ongoing a split, into three new subtests. This was announced in v1.10, with a planned "flip" of the defaults to happen in v1.11. This did not happen and is instead scheduled to happen in v1.12.

To migrate to the future defaults you can run kube-score with the following flags:

kube-score score \
    --enable-optional-test container-security-context-user-group-id \
    --enable-optional-test container-security-context-privileged \
    --enable-optional-test container-security-context-readonlyrootfilesystem \
    --ignore-test container-security-context

If you run kube-score with these flags, you'll also be able to ignore the test as used in your example.

In the current (v1.11.0) default configuration you'd have to ignore usingkube-score/ignore: container-security-context to ignore this error, but it also ignores some of the other security related tests, which is why this migration to the new defaults is happening.

jsalonen commented 3 years ago

Thank you for the swift response.

I guess the biggest issue here is that it was quite difficult to understand from documentation that this was the reason behind it all.

Closing