feat: add new container security rules for NoNewPrivileges and SeccompProfile

- Introduced NoNewPrivilegesRule to ensure containers do not allow privilege escalation.
- Added SeccompProfileRule to validate seccomp profiles for containers, ensuring proper security configurations.
- Updated linters settings to include new exclusion rules for NoNewPrivileges and SeccompProfile.
- Enhanced documentation in README.md to reflect new checks and their implications.

Author: Evsyukov Denis

pkg/config/linters_settings.go

@@ -56,6 +56,8 @@ type ContainerExcludeRules struct {
 	HostNetworkPorts       ContainerRuleExcludeList `mapstructure:"host-network-ports"`
 	Ports                  ContainerRuleExcludeList `mapstructure:"ports"`
 	ReadOnlyRootFilesystem ContainerRuleExcludeList `mapstructure:"read-only-root-filesystem"`
+	NoNewPrivileges        ContainerRuleExcludeList `mapstructure:"no-new-privileges"`
+	SeccompProfile         ContainerRuleExcludeList `mapstructure:"seccomp-profile"`
 	ImageDigest            ContainerRuleExcludeList `mapstructure:"image-digest"`
 	Resources              ContainerRuleExcludeList `mapstructure:"resources"`
 	SecurityContext        ContainerRuleExcludeList `mapstructure:"security-context"`

pkg/linters/container/README.md

@@ -1,13 +1,17 @@
 ## Description
 
 Checks containers inside the template spec. This linter protects against the next cases:
- - containers with the duplicated names
- - containers with the duplicated env variables
- - misconfigured images repository and digest
- - imagePullPolicy is "Always" (should be unspecified or "IfNotPresent")
- - ephemeral storage is not defined in .resources
- - SecurityContext is not defined
- - container uses port <= 1024
+
+- containers with the duplicated names
+- containers with the duplicated env variables
+- misconfigured images repository and digest
+- imagePullPolicy is "Always" (should be unspecified or "IfNotPresent")
+- ephemeral storage is not defined in .resources
+- SecurityContext is not defined
+- ReadOnlyRootFilesystem is not set to true (prevents write access to container root filesystem)
+- AllowPrivilegeEscalation is not set to false (prevents privilege escalation attacks)
+- Seccomp profile is not properly configured (ensures default seccomp filtering is enabled)
+- container uses port <= 1024
 - Checks for probes defined in containers.
 
 ## Settings example
@@ -26,6 +30,16 @@ linters-settings:
           name: deckhouse
           container: init-downloaded-modules
       # exclude if object kind, object name and containers name are equal
+      no-new-privileges:
+        - kind: Deployment
+          name: privileged-deployment
+          container: init-container
+      # exclude if object kind, object name and containers name are equal
+      seccomp-profile:
+        - kind: DaemonSet
+          name: system-daemon
+          container: system-container
+      # exclude if object kind, object name and containers name are equal
       resources:
         - kind: Deployment
           name: standby-holder-name
@@ -57,4 +71,4 @@ linters-settings:
           name: okmeter
           container: okagent
     impact: error
-```
+```

pkg/linters/container/rules.go

@@ -59,6 +59,10 @@ func (l *Container) applyContainerRules(object storage.StoreObject, errorList *e
 		rules.NewNameDuplicatesRule().ContainerNameDuplicates,
 		rules.NewCheckReadOnlyRootFilesystemRule(l.cfg.ExcludeRules.ReadOnlyRootFilesystem.Get()).
 			ObjectReadOnlyRootFilesystem,
+		rules.NewNoNewPrivilegesRule(l.cfg.ExcludeRules.NoNewPrivileges.Get()).
+			ContainerNoNewPrivileges,
+		rules.NewSeccompProfileRule(l.cfg.ExcludeRules.SeccompProfile.Get()).
+			ContainerSeccompProfile,
 		rules.NewHostNetworkPortsRule(l.cfg.ExcludeRules.HostNetworkPorts.Get()).ObjectHostNetworkPorts,
 
 		// old with module names skipping

pkg/linters/container/rules/container_no_new_privileges.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/deckhouse/dmt/internal/storage"
+	"github.com/deckhouse/dmt/pkg"
+	"github.com/deckhouse/dmt/pkg/errors"
+)
+
+const (
+	NoNewPrivilegesRuleName = "no-new-privileges"
+)
+
+func NewNoNewPrivilegesRule(excludeRules []pkg.ContainerRuleExclude) *NoNewPrivilegesRule {
+	return &NoNewPrivilegesRule{
+		RuleMeta: pkg.RuleMeta{
+			Name: NoNewPrivilegesRuleName,
+		},
+		ContainerRule: pkg.ContainerRule{
+			ExcludeRules: excludeRules,
+		},
+	}
+}
+
+type NoNewPrivilegesRule struct {
+	pkg.RuleMeta
+	pkg.ContainerRule
+}
+
+// ContainerNoNewPrivileges checks that containers have allowPrivilegeEscalation set to false
+// This prevents privilege escalation attacks by ensuring containers cannot gain additional privileges
+// Reference: CIS Kubernetes Benchmark 5.2.5
+func (r *NoNewPrivilegesRule) ContainerNoNewPrivileges(object storage.StoreObject, containers []corev1.Container, errorList *errors.LintRuleErrorsList) {
+	errorList = errorList.WithRule(r.GetName()).WithFilePath(object.ShortPath())
+
+	switch object.Unstructured.GetKind() {
+	case "Deployment", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob":
+	default:
+		return
+	}
+
+	for i := range containers {
+		c := &containers[i]
+
+		if !r.Enabled(object, c) {
+			// TODO: add metrics
+			continue
+		}
+
+		if c.SecurityContext == nil {
+			errorList.WithObjectID(object.Identity() + " ; container = " + c.Name).
+				Error("Container's SecurityContext is missing - cannot verify allowPrivilegeEscalation setting")
+			continue
+		}
+
+		if c.SecurityContext.AllowPrivilegeEscalation == nil {
+			errorList.WithObjectID(object.Identity() + " ; container = " + c.Name).
+				Error("Container's SecurityContext missing parameter AllowPrivilegeEscalation - should be set to false to prevent privilege escalation")
+			continue
+		}
+
+		if *c.SecurityContext.AllowPrivilegeEscalation {
+			errorList.WithObjectID(object.Identity() + " ; container = " + c.Name).
+				Error("Container's SecurityContext has `AllowPrivilegeEscalation: true`, but it must be `false` to prevent privilege escalation attacks")
+		}
+	}
+}

pkg/linters/container/rules/container_no_new_privileges_test.go

@@ -0,0 +1,188 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	"github.com/deckhouse/dmt/internal/storage"
+	"github.com/deckhouse/dmt/pkg"
+	"github.com/deckhouse/dmt/pkg/errors"
+)
+
+func TestNoNewPrivilegesRule_ContainerNoNewPrivileges(t *testing.T) {
+	tests := []struct {
+		name           string
+		kind           string
+		containers     []corev1.Container
+		expectedErrors []string
+	}{
+		{
+			name: "unsupported kind should be ignored",
+			kind: "Service",
+			containers: []corev1.Container{{
+				Name: "test",
+			}},
+			expectedErrors: []string{},
+		},
+		{
+			name: "missing security context should error",
+			kind: "Deployment",
+			containers: []corev1.Container{{
+				Name: "test-container",
+			}},
+			expectedErrors: []string{
+				"Container's SecurityContext is missing - cannot verify allowPrivilegeEscalation setting",
+			},
+		},
+		{
+			name: "missing allowPrivilegeEscalation should error",
+			kind: "Deployment",
+			containers: []corev1.Container{{
+				Name: "test-container",
+				SecurityContext: &corev1.SecurityContext{
+					RunAsNonRoot: boolPtr(true),
+				},
+			}},
+			expectedErrors: []string{
+				"Container's SecurityContext missing parameter AllowPrivilegeEscalation - should be set to false to prevent privilege escalation",
+			},
+		},
+		{
+			name: "allowPrivilegeEscalation true should error",
+			kind: "Deployment",
+			containers: []corev1.Container{{
+				Name: "test-container",
+				SecurityContext: &corev1.SecurityContext{
+					AllowPrivilegeEscalation: boolPtr(true),
+				},
+			}},
+			expectedErrors: []string{
+				"Container's SecurityContext has `AllowPrivilegeEscalation: true`, but it must be `false` to prevent privilege escalation attacks",
+			},
+		},
+		{
+			name: "allowPrivilegeEscalation false should pass",
+			kind: "Deployment",
+			containers: []corev1.Container{{
+				Name: "test-container",
+				SecurityContext: &corev1.SecurityContext{
+					AllowPrivilegeEscalation: boolPtr(false),
+				},
+			}},
+			expectedErrors: []string{},
+		},
+		{
+			name: "multiple containers with mixed settings",
+			kind: "Pod",
+			containers: []corev1.Container{
+				{
+					Name: "good-container",
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: boolPtr(false),
+					},
+				},
+				{
+					Name: "bad-container",
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: boolPtr(true),
+					},
+				},
+				{
+					Name: "missing-context",
+				},
+			},
+			expectedErrors: []string{
+				"Container's SecurityContext has `AllowPrivilegeEscalation: true`, but it must be `false` to prevent privilege escalation attacks",
+				"Container's SecurityContext is missing - cannot verify allowPrivilegeEscalation setting",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rule := NewNoNewPrivilegesRule([]pkg.ContainerRuleExclude{})
+			errorList := errors.NewLintRuleErrorsList()
+
+			obj := storage.StoreObject{
+				Path: "test.yaml",
+				Unstructured: unstructured.Unstructured{
+					Object: map[string]any{
+						"kind":     tt.kind,
+						"metadata": map[string]any{"name": "test-obj"},
+					},
+				},
+			}
+
+			rule.ContainerNoNewPrivileges(obj, tt.containers, errorList)
+			errs := errorList.GetErrors()
+
+			if len(tt.expectedErrors) == 0 {
+				assert.Empty(t, errs, "Expected no errors")
+			} else {
+				assert.Len(t, errs, len(tt.expectedErrors), "Expected %d errors", len(tt.expectedErrors))
+				for i, expectedError := range tt.expectedErrors {
+					assert.Contains(t, errs[i].Text, expectedError, "Error %d should contain expected text", i)
+				}
+			}
+		})
+	}
+}
+
+func TestNoNewPrivilegesRule_WithExclusions(t *testing.T) {
+	excludeRules := []pkg.ContainerRuleExclude{
+		{
+			Kind:      "Deployment",
+			Name:      "excluded-deployment",
+			Container: "excluded-container",
+		},
+	}
+
+	rule := NewNoNewPrivilegesRule(excludeRules)
+	errorList := errors.NewLintRuleErrorsList()
+
+	obj := storage.StoreObject{
+		Path: "test.yaml",
+		Unstructured: unstructured.Unstructured{
+			Object: map[string]any{
+				"kind":     "Deployment",
+				"metadata": map[string]any{"name": "excluded-deployment"},
+			},
+		},
+	}
+
+	containers := []corev1.Container{{
+		Name: "excluded-container",
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: boolPtr(true), // This would normally fail
+		},
+	}}
+
+	rule.ContainerNoNewPrivileges(obj, containers, errorList)
+	errs := errorList.GetErrors()
+
+	assert.Empty(t, errs, "Excluded container should not generate errors")
+}
+
+// Helper function to create bool pointers
+func boolPtr(b bool) *bool {
+	return &b
+}