Inability to read ingresses in NetworkPolicies #1709
Description
This issue was found when running scout against a GKE cluster container multiple Network Policies.
Please provide:
When a NetworkPolicy includes PolicyType: ingress and ingress is notNull, the current_path is shorter than the key resulting in an exception. The code continues but has errors. Since it throws an exception, automated pipelines detect the failure and consider it failed.
The console output of the error in debug mode:
scout[77349] ERROR browser.py L67: Unable to get index "7" from path "['network_policy', 'v1-networking-k8s-io', 'resources', '--rabbitmq--rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator', 'data', 'spec']": list index out of range
Traceback (most recent call last):
File "/media/psf/Project/ScoutSuite/ScoutSuite/providers/base/configs/browser.py", line 67, in get_value_at
target_path.append(current_path[i])
~~~~~~~~~~~~^^^
IndexError: list index out of range
scout[77349] ERROR browser.py L67: Unable to get index "7" from path "['network_policy', 'v1-networking-k8s-io', 'resources', '--rabbitmq--rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator', 'data', 'spec']": list index out of range
Traceback (most recent call last):
File "/media/psf/Project/ScoutSuite/ScoutSuite/providers/base/configs/browser.py", line 67, in get_value_at
target_path.append(current_path[i])
~~~~~~~~~~~~^^^
IndexError: list index out of range
To Reproduce
Run scout against a cluster with a NetworkPolicy that contains a PolicyType: ingress and non-null ingress block.
Please provide:
$python3 scout.py kubernetes --debug -c gke
- None, works fine for scans that are not looking at network polices.
Additional context
The current rule seems to be generalized to both ingress and egress, but the description and test are ingress specific. So, the easiest fix is just to replace the current rule below with an ingress specific rule that has the valid path.
Current Rule
{
"description": "Unrestricted Cluster Network Ingress",
"rationale": "Unrestricted cluster ingress controls allow any compromised pod to interact with any other pods.",
"references": [
"https://kubernetes.io/docs/concepts/cluster-administration/networking/",
"https://kubernetes.io/docs/concepts/services-networking/network-policies/"
],
"dashboard_name": "Network Policies",
"display_path": "network_policy.v1-networking-k8s-io.id",
"path": "network_policy.v1-networking-k8s-io.resources.id.data.spec",
"conditions": [
"or",
[
"and",
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec",
"withKey",
"policy_types"
],
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.policy_types",
"notNull",
""
],
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.policy_types",
"notContainString",
"Ingress"
]
],
[
"and",
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress",
"notNull",
""
],
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id.ports",
"null",
""
],
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id.from",
"null",
""
]
]
]
}
Proposed Rule
{
"description": "Unrestricted Cluster Network Ingress",
"rationale": "Unrestricted cluster ingress controls allow any compromised pod to interact with any other pods.",
"references": [
"https://kubernetes.io/docs/concepts/cluster-administration/networking/",
"https://kubernetes.io/docs/concepts/services-networking/network-policies/"
],
"dashboard_name": "Network Policies",
"display_path": "network_policy.v1-networking-k8s-io.id",
"path": "network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id",
"conditions": [
"or",
[
"and",
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id",
"notNull",
""
],
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id.ports",
"null",
""
],
[
"network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id.from",
"null",
""
]
]
]
}
Output with the proposed rule
scout[78834] DEBUG Processing NETWORK_POLICY rule "Unrestricted Cluster Network Ingress" (networkpolicy-unrestricted-cluster-network-ingress.json)
If the rule is actually right and the system may regularly face situations where len(key) > len(current_path), shouldn't it handle that first in the loop and break when it occurs?