Skip to content
This repository was archived by the owner on Oct 30, 2024. It is now read-only.
This repository was archived by the owner on Oct 30, 2024. It is now read-only.

Not finding errors in deployment #523

Open
#571
Open
Not finding errors in deployment#523
#571
@mtcolman

Description

@mtcolman
mtcolman
opened on Feb 1, 2023
ISSUE TYPE
  • Bug Report
  • Feature Idea

BUG REPORT

SUMMARY

I'm testing a deployment.yaml with low/no securityContexts within, and kubeaudit is not reporting any findings.

ENVIRONMENT
  • Kubeaudit version: 0.21.0
  • Kubeaudit install method: Linux, Ubuntu tar and mv to /usr/local/bin
STEPS TO REPRODUCE

Use this yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
  labels:
    app.kubernetes.io/name: mysql
    app.kubernetes.io/instance: mysql-abcxzy
    app.kubernetes.io/version: "5.7.21"
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: wordpress
    app.kubernetes.io/managed-by: helm
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-kubernetes
      release: 1.7
  template:
    metadata:
      labels:
        app: hello-kubernetes
        release: 1.7
    spec:
#      securityContext:
#        runAsNonRoot: true
      containers:
      - name: container-one
        image: mytest/container-one:1.5
#        securityContext:
#          runAsNonRoot: true
        ports:
        - containerPort: 8080
      - name: container-two
        image: mytest/container-two:2.2
#        securityContext:
#          runAsNonRoot: true
        ports:
        - containerPort: 9000
EXPECTED RESULTS

I expected a lot of results of missing securityContexts and security related settings

ACTUAL RESULTS
$ kubeaudit all -f "deployment.yaml"
All checks completed. 0 high-risk vulnerabilities found
ADDIITONAL INFO

A similar test with a pod manifest worked as follows:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
#  securityContext:
#    runAsNonRoot: true
  containers:
    - name: container-one
      image: mytest/container-one:1.5
      securityContext:
        runAsNonRoot: true
      ports:
      - containerPort: 8080
    - name: container-two
      image: mytest/container-two:2.2
#      securityContext:
#        runAsNonRoot: true
      ports:
      - containerPort: 9000

$ kubeaudit all -f "pod.yaml"

---------------- Results for ---------------

  apiVersion: v1
  kind: Pod
  metadata:
    name: example-pod

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-one' should be added.
   Metadata:
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-one
      Container: container-one

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-two' should be added.
   Metadata:
      Container: container-two
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-two

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.

-- [error] CapabilityOrSecurityContextMissing
   Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
   Metadata:
      Container: container-one

-- [error] CapabilityOrSecurityContextMissing
   Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
   Metadata:
      Container: container-two

-- [warning] LimitsNotSet
   Message: Resource limits not set.
   Metadata:
      Container: container-one

-- [warning] LimitsNotSet
   Message: Resource limits not set.
   Metadata:
      Container: container-two

-- [error] RunAsNonRootPSCNilCSCNil
   Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
   Metadata:
      Container: container-two

-- [error] AllowPrivilegeEscalationNil
   Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
   Metadata:
      Container: container-one

-- [error] AllowPrivilegeEscalationNil
   Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
   Metadata:
      Container: container-two

-- [warning] PrivilegedNil
   Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
   Metadata:
      Container: container-one

-- [warning] PrivilegedNil
   Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
   Metadata:
      Container: container-two

-- [error] ReadOnlyRootFilesystemNil
   Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
   Metadata:
      Container: container-one

-- [error] ReadOnlyRootFilesystemNil
   Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
   Metadata:
      Container: container-two

-- [error] SeccompProfileMissing
   Message: Pod Seccomp profile is missing. Seccomp profile should be added to the pod SecurityContext.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions