Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is a pretty major overhaul of the K8S security policy checks. This
PR uses the most current style of check writing to ensure checks return
"clear, accurate, and actionable" results.
## Current Method Example: Container should not allow privilege
escalation
The current check is written as follows:
```coffee
k8s.deployment {
initContainers {
securityContext['allowPrivilegeEscalation'] != true
}
containers {
securityContext['allowPrivilegeEscalation'] != true
}
}
```
While the check does make an assertion, the results return data.
```
k8s.deployment: {
initContainers: []
containers: [
0: {
securityContext[allowPrivilegeEscalation] != true: true
}
]
}
```
## Updated Method: Container should not allow privilege escalation
This PR updates the check as follows:
```
k8s.deployment.initContainers.all( securityContext['allowPrivilegeEscalation'] != true )
k8s.deployment.containers.all( securityContext['allowPrivilegeEscalation'] != true )
```
The results from a passing check look like this:
```
[ok] value: true
```
The results from failed check will return the following:
```
[failed] [].all()
actual: [
0: k8s.container {
securityContext: {
privileged: false
}
securityContext[allowPrivilegeEscalation]: null
name: "dvwa"
}
]
```
---------
Signed-off-by: Scott Ford <[email protected]>- Loading branch information
1 parent
ce9d45b
commit b5831cf