-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ValidatingAdmissionPolicy for C-0013 #11
Conversation
Hi @slashben, there is a mismatch between the documentation and the rego functionality. This is what the rego actually does:
|
|
This is a very complex control, I will review a bit later |
Hi @suhasgumma |
Thank you @Daniel-GrunbergerCA . |
Signed-off-by: Suhas Gumma <[email protected]>
Signed-off-by: Suhas Gumma <[email protected]>
Hi @Daniel-GrunbergerCA, this is what I have done:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job! Sorry for the delay :)
@slashben can you have a look, Daniel did approve in the past, but a second review before merging would be good |
@matthyx I came across this as I was looking at a similar problem, but wonder if it's not possible to simplify the validations to a single expression by using variables:
# Extract podSpec from Pod, Deployment, ReplicaSet, DaemonSet, StatefulSet, Job, CronJob
# CronJob has podSpec in object.spec.jobTemplate.spec
- name: cronjobPodSpec
expression: |
object.kind == 'CronJob' ? object.spec.jobTemplate.spec : null
# Pod is found directly in object.spec and all reminding kinds is found in object.spec.template.spec
- name: otherPodSpec
expression: |
object.kind == 'Pod' ? object.spec : object.spec.template.spec
# Pass the the correct podSpec based on the object kind
- name: podSpec
expression: |
object.kind == 'CronJob' ? variables.cronjobPodSpec : variables.otherPodSpec
validations:
- expression: >
variables.podSpec.containers.all(container,
(
(
has(container.securityContext) &&
has(container.securityContext.allowPrivilegeEscalation) &&
container.securityContext.allowPrivilegeEscalation == false
) ||
(
(
!has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
) &&
(
has(variables.podSpec.securityContext) &&
has(variables.podSpec.securityContext.allowPrivilegeEscalation) &&
variables.podSpec.securityContext.allowPrivilegeEscalation == false
)
)
) &&
(
(
(
has(container.securityContext) &&
has(container.securityContext.runAsNonRoot) &&
container.securityContext.runAsNonRoot == true
) ||
(
(
!has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
) &&
(
has(variables.podSpec.securityContext) &&
has(variables.podSpec.securityContext.runAsNonRoot) &&
variables.podSpec.securityContext.runAsNonRoot == true
)
)
) ||
(
(
has(container.securityContext) &&
has(container.securityContext.runAsUser) &&
container.securityContext.runAsUser != 0
) ||
(
(
!has(container.securityContext) || !has(container.securityContext.runAsUser)
) &&
(
has(variables.podSpec.securityContext) &&
has(variables.podSpec.securityContext.runAsUser) &&
variables.podSpec.securityContext.runAsUser != 0
)
)
)
)
)
message: "Workload contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)" |
Control C-0013
Related Resources: CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Control Docs: https://hub.armosec.io/docs/c-0013
Control Rego: https://github.com/kubescape/regolibrary/blob/master/rules/non-root-containers/raw.rego