score/security: added optional, splitted probes as future replacemnt for security context probe

Markus Lackner · Markus Lackner · commit daa264e0c5b5 · 2020-11-04T23:08:34.000+01:00
Fixes zegl#325
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ For a full list of checks, see [README_CHECKS.md](README_CHECKS.md).
 * Deployments and StatefulSets should have a `PodDisruptionPolicy`
 * Deployments and StatefulSets should have host PodAntiAffinity configured
 * Container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in  [README_PROBES.md](README_PROBES.md).
-* Container securityContext, run as high number user/group, do not run as root or with privileged root fs
+* Container securityContext, run as high number user/group, do not run as root or with privileged root fs. Read more in [README_SECURITYCONTEXT.md](README_SECURITYCONTEXT.md).
 * Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)
 
 ## Example output
diff --git a/README_CHECKS.md b/README_CHECKS.md
@@ -14,7 +14,10 @@
 | pod-networkpolicy | Pod | Makes sure that all Pods are targeted by a NetworkPolicy | default |
 | networkpolicy-targets-pod | NetworkPolicy | Makes sure that all NetworkPolicies targets at least one Pod | default |
 | pod-probes | Pod | Makes sure that all Pods have safe probe configurations | default |
-| container-security-context | Pod | Makes sure that all pods have good securityContexts configured | default |
+| container-security-context | Pod | Makes sure that all pods have good securityContexts configured (*deprecated*, see [README_SECURITYCONTEXT.md](README_SECURITYCONTEXT.md) | default |
+| container-security-context-user-group-id | Pod | Makes sure that user and group ID are set and > 10000 | optional |
+| container-security-context-privileged | Pod | Makes sure that no Containers run in privileged mode | optional |
+| container-security-context-readonlyrootfilesystem | Makes sure that all Containers have read only filesystems | optional |
 | container-seccomp-profile | Pod | Makes sure that all pods have at a seccomp policy configured. | optional |
 | service-targets-pod | Service | Makes sure that all Services targets a Pod | default |
 | service-type | Service | Makes sure that the Service type is not NodePort | default |
diff --git a/README_SECURITYCONTEXT.md b/README_SECURITYCONTEXT.md
@@ -0,0 +1,18 @@
+# Security Context
+
+The default probe `container-security-context` checks the `SecurityContext`
+for 
+
+* Containers with writeable root filesystems
+* Containers that run with user ID or group ID < 10000
+* Privileged containers
+
+If you do not want all of this checks you can disable `container-security-context`
+probe and enable one or more of the following optional probes:
+
+* `container-security-context-user-group-id`
+* `container-security-context-privileged`
+* `container-security-context-readonlyrootfilesystem`
+
+In future releases the `container-security-context` will become *optional*
+and replaced by the more detailed probes.
diff --git a/go.sum b/go.sum
@@ -27,6 +27,7 @@ github.com/fatih/color v1.8.0 h1:5bzFgL+oy7JITMTxUPJ00n7VxmYd/PdMp5mHFX40/RY=
 github.com/fatih/color v1.8.0/go.mod h1:3l45GVGkyrnYNl9HoIjnp2NnNWvh6hLAqD8yTfGjnw8=
 github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
+github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -97,12 +98,14 @@ github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
 github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
+github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
@@ -287,6 +290,7 @@ k8s.io/api v0.19.1 h1:oZf4bYsBdjC49PdTwNfLmrfUFCwKUi94HY/+emXI8Qw=
 k8s.io/api v0.19.1/go.mod h1:+u/k4/K/7vp4vsfdT7dyl8Oxk1F26Md4g5F26Tu85PU=
 k8s.io/api v0.19.2 h1:q+/krnHWKsL7OBZg/rxnycsl9569Pud76UJ77MvKXms=
 k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI=
+k8s.io/api v0.19.3 h1:GN6ntFnv44Vptj/b+OnMW7FmzkpDoIDLZRvKX3XH9aU=
 k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs=
 k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb/go.mod h1:llRdnznGEAqC3DcNm6yEj472xaFVfLM7hnYofMb12tQ=
 k8s.io/apimachinery v0.0.0-20191121015412-41065c7a8c2a h1:9V03T5lHv/iF4fSgvMCd+iB86AgEgmzLpheMqIJy7hs=
@@ -317,6 +321,7 @@ k8s.io/apimachinery v0.19.1 h1:cwsxZazM/LA9aUsBaL4bRS5ygoM6bYp8dFk22DSYQa4=
 k8s.io/apimachinery v0.19.1/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
 k8s.io/apimachinery v0.19.2 h1:5Gy9vQpAGTKHPVOh5c4plE274X8D/6cuEiTO2zve7tc=
 k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
+k8s.io/apimachinery v0.19.3 h1:bpIQXlKjB4cB/oNpnNnV+BybGPR7iP5oYpsOTEJ4hgc=
 k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
diff --git a/score/security/security.go b/score/security/security.go
@@ -10,10 +10,110 @@ import (
 
 func Register(allChecks *checks.Checks) {
 	allChecks.RegisterPodCheck("Container Security Context", `Makes sure that all pods have good securityContexts configured`, containerSecurityContext)
+
+	allChecks.RegisterOptionalPodCheck("Container Security Context User Group ID", `Makes sure that all pods have a security context with valid UID and GID set `, containerSecurityContextUserGroupID)
+	allChecks.RegisterOptionalPodCheck("Container Security Context Privileged", "Makes sure that all pods have a unprivileged security context set", containerSecurityContextPrivileged)
+	allChecks.RegisterOptionalPodCheck("Container Security Context ReadOnlyRootFilesystem", "Makes sure that all pods have a security context with read only filesystem set", containerSecurityContextReadOnlyRootFilesystem)
+
 	allChecks.RegisterOptionalPodCheck("Container Seccomp Profile", `Makes sure that all pods have at a seccomp policy configured.`, podSeccompProfile)
 }
 
+// containerSecurityContextReadOnlyRootFilesystem checks for pods using writeable root filesystems
+func containerSecurityContextReadOnlyRootFilesystem(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
+	allContainers := podTemplate.Spec.InitContainers
+	allContainers = append(allContainers, podTemplate.Spec.Containers...)
+
+	noContextSet := false
+	hasWritableRootFS := false
+
+	for _, container := range allContainers {
+		if container.SecurityContext == nil {
+			noContextSet = true
+			score.AddComment(container.Name, "Container has no configured security context", "Set securityContext to run the container in a more secure context.")
+			continue
+		}
+		sec := container.SecurityContext
+		if sec.ReadOnlyRootFilesystem == nil || *sec.ReadOnlyRootFilesystem == false {
+			hasWritableRootFS = true
+			score.AddComment(container.Name, "The pod has a container with a writable root filesystem", "Set securityContext.readOnlyRootFilesystem to true")
+		}
+	}
+
+	if noContextSet || hasWritableRootFS {
+		score.Grade = scorecard.GradeCritical
+	} else {
+		score.Grade = scorecard.GradeAllOK
+	}
+
+	return
+}
+
+// containerSecurityContextPrivileged checks for privileged containers
+func containerSecurityContextPrivileged(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
+	allContainers := podTemplate.Spec.InitContainers
+	allContainers = append(allContainers, podTemplate.Spec.Containers...)
+	hasPrivileged := false
+	for _, container := range allContainers {
+		if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
+			hasPrivileged = true
+			score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.")
+		}
+	}
+	if hasPrivileged {
+		score.Grade = scorecard.GradeCritical
+	} else {
+		score.Grade = scorecard.GradeAllOK
+	}
+	return
+}
+
+// containerSecurityContextUserGroupID checks that the user and group are valid ( > 10000) in the security context
+func containerSecurityContextUserGroupID(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
+	allContainers := podTemplate.Spec.InitContainers
+	allContainers = append(allContainers, podTemplate.Spec.Containers...)
+	podSecurityContext := podTemplate.Spec.SecurityContext
+	noContextSet := false
+	hasLowUserID := false
+	hasLowGroupID := false
+	for _, container := range allContainers {
+		if container.SecurityContext == nil && podSecurityContext == nil {
+			noContextSet = true
+			score.AddComment(container.Name, "Container has no configured security context", "Set securityContext to run the container in a more secure context.")
+			continue
+		}
+		sec := container.SecurityContext
+		if sec == nil {
+			sec = &corev1.SecurityContext{}
+		}
+		// Forward values from PodSecurityContext to the (container level) SecurityContext if not set
+		if podSecurityContext != nil {
+			if sec.RunAsGroup == nil {
+				sec.RunAsGroup = podSecurityContext.RunAsGroup
+			}
+			if sec.RunAsUser == nil {
+				sec.RunAsUser = podSecurityContext.RunAsUser
+			}
+		}
+		if sec.RunAsUser == nil || *sec.RunAsUser < 10000 {
+			hasLowUserID = true
+			score.AddComment(container.Name, "The container is running with a low user ID", "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000")
+		}
+
+		if sec.RunAsGroup == nil || *sec.RunAsGroup < 10000 {
+			hasLowGroupID = true
+			score.AddComment(container.Name, "The container running with a low group ID", "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000")
+		}
+	}
+	if noContextSet || hasLowUserID || hasLowGroupID {
+		score.Grade = scorecard.GradeCritical
+	} else {
+		score.Grade = scorecard.GradeAllOK
+	}
+	return
+}
+
 // containerSecurityContext checks that the recommended securityPolicy options are set
+// Deprecated: will be replaced with "Container Security Context User Group ID", "Container Security Context Privileged" and "Container Security Context ReadOnlyRootFilesystem" in future versions
 func containerSecurityContext(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
 	allContainers := podTemplate.Spec.InitContainers
 	allContainers = append(allContainers, podTemplate.Spec.Containers...)
diff --git a/score/security_test.go b/score/security_test.go
@@ -217,9 +217,9 @@ func TestPodSecurityContext(test *testing.T) {
 	}
 }
 
-func TestContainerSecurityContextPrivilegied(t *testing.T) {
+func TestContainerSecurityContextPrivileged(t *testing.T) {
 	t.Parallel()
-	testExpectedScore(t, "pod-security-context-privilegied.yaml", "Container Security Context", scorecard.GradeCritical)
+	testExpectedScore(t, "pod-security-context-privileged.yaml", "Container Security Context", scorecard.GradeCritical)
 }
 
 func TestContainerSecurityContextLowUser(t *testing.T) {
@@ -266,3 +266,126 @@ func TestContainerSeccompAllGood(t *testing.T) {
 		EnabledOptionalTests: structMap,
 	}, "Container Seccomp Profile", scorecard.GradeAllOK)
 }
+
+func TestContainerSecurityContextUserGroupIDAllGood(t *testing.T) {
+	t.Parallel()
+	structMap := make(map[string]struct{})
+	structMap["container-security-context-user-group-id"] = struct{}{}
+	c := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-all-good.yaml")},
+		EnabledOptionalTests: structMap,
+	}, "Container Security Context User Group ID", scorecard.GradeAllOK)
+	assert.Empty(t, c)
+}
+
+func TestContainerSecurityContextUserGroupIDLowGroup(t *testing.T) {
+	t.Parallel()
+	optionalChecks := make(map[string]struct{})
+	optionalChecks["container-security-context-user-group-id"] = struct{}{}
+	comments := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-low-group-id.yaml")},
+		EnabledOptionalTests: optionalChecks,
+	}, "Container Security Context User Group ID", scorecard.GradeCritical)
+	assert.Contains(t, comments, scorecard.TestScoreComment{
+		Path:        "foobar",
+		Summary:     "The container running with a low group ID",
+		Description: "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000",
+	})
+}
+
+func TestContainerSecurityContextUserGroupIDLowUser(t *testing.T) {
+	t.Parallel()
+	optionalChecks := make(map[string]struct{})
+	optionalChecks["container-security-context-user-group-id"] = struct{}{}
+	comments := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-low-user-id.yaml")},
+		EnabledOptionalTests: optionalChecks,
+	}, "Container Security Context User Group ID", scorecard.GradeCritical)
+	assert.Contains(t, comments, scorecard.TestScoreComment{
+		Path:        "foobar",
+		Summary:     "The container is running with a low user ID",
+		Description: "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000",
+	})
+}
+
+func TestContainerSecurityContextUserGroupIDNoSecurityContext(t *testing.T) {
+	t.Parallel()
+	optionalChecks := make(map[string]struct{})
+	optionalChecks["container-security-context-user-group-id"] = struct{}{}
+	comments := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-nosecuritycontext.yaml")},
+		EnabledOptionalTests: optionalChecks,
+	}, "Container Security Context User Group ID", scorecard.GradeCritical)
+	assert.Contains(t, comments, scorecard.TestScoreComment{
+		Path:        "foobar",
+		Summary:     "Container has no configured security context",
+		Description: "Set securityContext to run the container in a more secure context.",
+	})
+}
+
+func TestContainerSecurityContextPrivilegedAllGood(t *testing.T) {
+	t.Parallel()
+	structMap := make(map[string]struct{})
+	structMap["container-security-context-privileged"] = struct{}{}
+	c := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-all-good.yaml")},
+		EnabledOptionalTests: structMap,
+	}, "Container Security Context Privileged", scorecard.GradeAllOK)
+	assert.Empty(t, c)
+}
+
+func TestContainerSecurityContextPrivilegedPrivileged(t *testing.T) {
+	t.Parallel()
+	optionalChecks := make(map[string]struct{})
+	optionalChecks["container-security-context-privileged"] = struct{}{}
+	comments := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-privileged.yaml")},
+		EnabledOptionalTests: optionalChecks,
+	}, "Container Security Context Privileged", scorecard.GradeCritical)
+	assert.Contains(t, comments, scorecard.TestScoreComment{
+		Path:        "foobar",
+		Summary:     "The container is privileged",
+		Description: "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.",
+	})
+}
+
+func TestContainerSecurityContextReadOnlyRootFilesystemAllGood(t *testing.T) {
+	t.Parallel()
+	structMap := make(map[string]struct{})
+	structMap["container-security-context-readonlyrootfilesystem"] = struct{}{}
+	c := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-all-good.yaml")},
+		EnabledOptionalTests: structMap,
+	}, "Container Security Context ReadOnlyRootFilesystem", scorecard.GradeAllOK)
+	assert.Empty(t, c)
+}
+
+func TestContainerSecurityContextReadOnlyRootFilesystemWriteable(t *testing.T) {
+	t.Parallel()
+	optionalChecks := make(map[string]struct{})
+	optionalChecks["container-security-context-readonlyrootfilesystem"] = struct{}{}
+	comments := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-writeablerootfilesystem.yaml")},
+		EnabledOptionalTests: optionalChecks,
+	}, "Container Security Context ReadOnlyRootFilesystem", scorecard.GradeCritical)
+	assert.Contains(t, comments, scorecard.TestScoreComment{
+		Path:        "foobar",
+		Summary:     "The pod has a container with a writable root filesystem",
+		Description: "Set securityContext.readOnlyRootFilesystem to true",
+	})
+}
+
+func TestContainerSecurityContextReadOnlyRootFilesystemNoSecurityContext(t *testing.T) {
+	t.Parallel()
+	optionalChecks := make(map[string]struct{})
+	optionalChecks["container-security-context-readonlyrootfilesystem"] = struct{}{}
+	comments := testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-security-context-nosecuritycontext.yaml")},
+		EnabledOptionalTests: optionalChecks,
+	}, "Container Security Context ReadOnlyRootFilesystem", scorecard.GradeCritical)
+	assert.Contains(t, comments, scorecard.TestScoreComment{
+		Path:        "foobar",
+		Summary:     "Container has no configured security context",
+		Description: "Set securityContext to run the container in a more secure context.",
+	})
+}
diff --git a/score/testdata/pod-security-context-nosecuritycontext.yaml b/score/testdata/pod-security-context-nosecuritycontext.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-test-1
+spec:
+  containers:
+  - name: foobar
+    image: foo/bar:latest
diff --git a/score/testdata/pod-security-context-privileged.yaml b/score/testdata/pod-security-context-privileged.yaml
diff --git a/score/testdata/pod-security-context-writeablerootfilesystem.yaml b/score/testdata/pod-security-context-writeablerootfilesystem.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-test-1
+spec:
+  containers:
+  - name: foobar
+    image: foo/bar:latest
+    securityContext:
+      privileged: True
