Skip to content

Fix for issue #604 - Seccomp rules check updates #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
06kellyjac merged 10 commits into from
Sep 5, 2025
Merged

Fix for issue #604 - Seccomp rules check updates #694

06kellyjac merged 10 commits into from
Sep 5, 2025

Conversation

@esticansat
Copy link
Contributor

@esticansat esticansat commented Jul 4, 2025
edited
Loading

Fixes #604.

Starting on Kubernetes 1.19, support for seccomp is considered stable. As part of this change, the seccomp configuration is no longer tracked as part of annotations but within the securityContext fields of the manifest. The changes of this PR aim at updating Kubesec so that it can now check for this new location of seccomp.

The list of locations where the seccomp profile can be specified is nicely recollected under the Kubernetes PSS documentation page (search for 'Seccomp' under the either the baseline or restricted policy sections):

spec.securityContext.seccompProfile.type
spec.containers[*].securityContext.seccompProfile.type
spec.initContainers[*].securityContext.seccompProfile.type
spec.ephemeralContainers[*].securityContext.seccompProfile.type

Consequently I have:

  • Updated the checkSecurityContext function under pkg/rules so that it supports the ephemeralContainers field as well
  • Updated the seccompAny rule and unit tests to look for the values of the seccompProfile in the four places above.
  • Updated the seccompUnconfined rule and unit tests to look for the values of the seccompProfile in the four places above.
  • Removed an acceptance test about seccomp that I saw was duplicated.
  • Added new acceptance tests to cover for the new seccomp scenarios.
  • Updated the selector property of both seccompAny and seccompUnconfined rules under pkg/ruler.

All Submissions.

Code Submissions.

  • Does your submission pass linting, tests, and security analysis?

Changes to Core Features.

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?

@esticansat esticansat changed the title Fix for issue 604 - Seccomp rules check udpates Fix for issue #604 - Seccomp rules check udpates Jul 4, 2025
@esticansat esticansat force-pushed the fix-604-seccomp-rule-update branch from 5497ff6 to 86e0e21 Compare July 4, 2025 12:18
@esticansat esticansat force-pushed the fix-604-seccomp-rule-update branch from 86e0e21 to af34b8a Compare July 4, 2025 12:20
@esticansat esticansat marked this pull request as ready for review July 4, 2025 12:25
@esticansat
Copy link
Contributor Author

esticansat commented Jul 4, 2025

Adding @sublimino @06kellyjac for review

@esticansat esticansat mentioned this pull request Aug 8, 2025
Merged
5 tasks
@sublimino sublimino self-assigned this Aug 29, 2025
@06kellyjac
Copy link
Member

06kellyjac commented Aug 29, 2025

@kusari-inspector rerun

@kusari-inspector
Copy link

kusari-inspector bot commented Aug 29, 2025

🔄 Run triggered at 15:19:42 UTC. Starting fresh analysis...

@kusari-inspector
Copy link

kusari-inspector bot commented Aug 29, 2025
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Proceed with these changes

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Combined analysis shows no actual security risks. Dependency analysis found no issues with pinned versions, code changes, or exposed secrets. Code analysis identified 180 security issues, but these are exclusively within test asset files (test/asset/) that are intentionally designed with security misconfigurations to validate the kubesec security scanner's detection capabilities. These findings represent legitimate test cases rather than production vulnerabilities. No secrets, critical vulnerabilities, module vulnerabilities, or workflow issues were detected in production code. The security findings are expected and necessary for proper testing functionality.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: db670ee, performed at: 2025-08-30T17:41:10Z

Found this helpful? Give it a 👍 or 👎 reaction!

@sublimino sublimino changed the title Fix for issue #604 - Seccomp rules check udpates Fix for issue #604 - Seccomp rules check updates Aug 30, 2025
@kusari-inspector
Copy link

kusari-inspector bot commented Aug 30, 2025

Kusari PR Analysis rerun based on - db670ee performed at: 2025-08-30T17:41:53Z - link to updated analysis

sublimino
sublimino approved these changes Aug 30, 2025
View reviewed changes
Copy link
Member

@sublimino sublimino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @esticansat! I made a couple of small tweaks, thanks for the fixes 🎉

@06kellyjac 06kellyjac merged commit 3df3056 into controlplaneio:master Sep 5, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sublimino sublimino sublimino approved these changes

Assignees

@sublimino sublimino

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

seccomp rule documentation needs an update

3 participants

@esticansat @06kellyjac @sublimino