Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates K8s security checks #273

Merged
merged 4 commits into from
Oct 16, 2023
Merged

Updates K8s security checks #273

merged 4 commits into from
Oct 16, 2023

Conversation

scottford-io
Copy link
Contributor

This is a pretty major overhaul of the K8S security policy checks. This PR uses the most current style of check writing to ensure checks return "clear, accurate, and actionable" results.

Current Method Example: Container should not allow privilege escalation

The current check is written as follows:

      k8s.deployment {
        initContainers {
          securityContext['allowPrivilegeEscalation'] != true
        }
        containers {
          securityContext['allowPrivilegeEscalation'] != true
        }
      }

While the check does make an assertion, the results return data.

k8s.deployment: {
  initContainers: []
  containers: [
    0: {
      securityContext[allowPrivilegeEscalation] != true: true
    }
  ]
}

Updated Method: Container should not allow privilege escalation

This PR updates the check as follows:

k8s.deployment.initContainers.all( securityContext['allowPrivilegeEscalation'] != true )
k8s.deployment.containers.all( securityContext['allowPrivilegeEscalation'] != true )

The results from a passing check look like this:

[ok] value: true

The results from failed check will return the following:

[failed] [].all()
  actual:   [
    0: k8s.container {
      securityContext: {
        privileged: false
      }
      securityContext[allowPrivilegeEscalation]: null
      name: "dvwa"
    }
  ]

@github-actions

This comment has been minimized.

Sign in to view
@scottford-io
Updates K8s security checks
ac31e8f 
updates spelling

Signed-off-by: Scott Ford <[email protected]>
@scottford-io scottford-io force-pushed the scottford/updates-k8s-security-checks branch from c7de51d to ac31e8f Compare October 4, 2023 17:15
@mm-weber mm-weber self-requested a review October 9, 2023 11:40
@mm-weber mm-weber self-assigned this Oct 9, 2023
mm-weber
mm-weber requested changes Oct 9, 2023
View reviewed changes
Copy link
Contributor

@mm-weber mm-weber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this great addition @scottford-io ! It goes a long way making our policies more clean.
Hope the comments help.

core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
core/mondoo-kubernetes-security.mql.yaml Outdated Show resolved Hide resolved
@scottford-io
Copy link
Contributor Author

@mm-weber all recommendations have been added. Thank you for the great review!

@scottford-io scottford-io requested a review from mm-weber October 13, 2023 03:51
mm-weber
mm-weber approved these changes Oct 16, 2023
View reviewed changes
Copy link
Contributor

@mm-weber mm-weber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mm-weber mm-weber merged commit b5831cf into main Oct 16, 2023
7 checks passed
@mm-weber mm-weber deleted the scottford/updates-k8s-security-checks branch October 16, 2023 15:53
@github-actions github-actions bot locked and limited conversation to collaborators Oct 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mm-weber mm-weber mm-weber approved these changes

@chris-rock chris-rock Awaiting requested review from chris-rock

Assignees

@mm-weber mm-weber

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@scottford-io @mm-weber