-
-
Notifications
You must be signed in to change notification settings - Fork 183
/
Copy pathsecurity.go
102 lines (81 loc) · 3.75 KB
/
security.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package security
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/zegl/kube-score/score/checks"
"github.com/zegl/kube-score/scorecard"
)
func Register(allChecks *checks.Checks) {
allChecks.RegisterPodCheck("Container Security Context", `Makes sure that all pods have good securityContexts configured`, containerSecurityContext)
allChecks.RegisterOptionalPodCheck("Container Seccomp Profile", `Makes sure that all pods have at a seccomp policy configured.`, podSeccompProfile)
}
// containerSecurityContext checks that the recommended securityPolicy options are set
func containerSecurityContext(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
allContainers := podTemplate.Spec.InitContainers
allContainers = append(allContainers, podTemplate.Spec.Containers...)
noContextSet := false
hasPrivileged := false
hasWritableRootFS := false
hasLowUserID := false
hasLowGroupID := false
podSecurityContext := podTemplate.Spec.SecurityContext
for _, container := range allContainers {
if container.SecurityContext == nil && podSecurityContext == nil {
noContextSet = true
score.AddComment(container.Name, "Container has no configured security context", "Set securityContext to run the container in a more secure context.")
continue
}
sec := container.SecurityContext
if sec == nil {
sec = &corev1.SecurityContext{}
}
// Forward values from PodSecurityContext to the (container level) SecurityContext if not set
if podSecurityContext != nil {
if sec.RunAsGroup == nil {
sec.RunAsGroup = podSecurityContext.RunAsGroup
}
if sec.RunAsUser == nil {
sec.RunAsUser = podSecurityContext.RunAsUser
}
}
if sec.Privileged != nil && *sec.Privileged {
hasPrivileged = true
score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.")
}
if sec.ReadOnlyRootFilesystem == nil || *sec.ReadOnlyRootFilesystem == false {
hasWritableRootFS = true
score.AddComment(container.Name, "The pod has a container with a writable root filesystem", "Set securityContext.readOnlyRootFilesystem to true")
}
if sec.RunAsUser == nil || *sec.RunAsUser < 10000 {
hasLowUserID = true
score.AddComment(container.Name, "The container is running with a low user ID", "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000")
}
if sec.RunAsGroup == nil || *sec.RunAsGroup < 10000 {
hasLowGroupID = true
score.AddComment(container.Name, "The container running with a low group ID", "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000")
}
}
if noContextSet || hasPrivileged || hasWritableRootFS || hasLowUserID || hasLowGroupID {
score.Grade = scorecard.GradeCritical
} else {
score.Grade = scorecard.GradeAllOK
}
return
}
// podSeccompProfile checks if the any Seccommp profile is configured for the pod
func podSeccompProfile(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
metadata := podTemplate.ObjectMeta
seccompAnnotated := false
if metadata.Annotations != nil {
if _, ok := metadata.Annotations["seccomp.security.alpha.kubernetes.io/defaultProfileName"]; ok {
seccompAnnotated = true
}
}
if !seccompAnnotated {
score.Grade = scorecard.GradeWarning
score.AddComment(metadata.Name, "The pod has not configured Seccomp for its containers", "Running containers with Seccomp is recommended to reduce the kernel attack surface")
} else {
score.Grade = scorecard.GradeAllOK
}
return
}