Merge pull request #194 from snyk/feat/secure-config-improved

feat: secure config improved

Author: ivanstanev

package-lock.json

@@ -44,7 +44,7 @@
     "needle": "^2.4.0",
     "response-time": "^2.3.2",
     "snyk-config": "^2.2.0",
-    "snyk-docker-plugin": "^1.33.0",
+    "snyk-docker-plugin": "1.34.0",
     "source-map-support": "^0.5.9",
     "tslib": "^1.9.3",
     "ws": "^7.0.0",

package.json

@@ -25,7 +25,7 @@ spec:
           readOnly: true
           mountPath: "/root/.docker"
         - name: temporary-storage
-          mountPath: "/snyk-monitor"
+          mountPath: "/var/tmp"
         env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -57,7 +57,11 @@ spec:
           limits:
             cpu: '1'
             memory: '2Gi'
-      securityContext: {}
+        securityContext:
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
       volumes:
       - name: docker-config
         secret:

snyk-monitor-deployment.yaml

@@ -31,7 +31,7 @@ spec:
             readOnly: true
             mountPath: "/root/.docker"
           - name: temporary-storage
-            mountPath: "/snyk-monitor"
+            mountPath: "/var/tmp"
           env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -51,6 +51,11 @@ spec:
             limits:
               cpu: '1'
               memory: '2Gi'
+          securityContext:
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
       volumes:
         - name: docker-config
           secret:

snyk-monitor/templates/deployment.yaml

@@ -7,6 +7,6 @@ const config = require('snyk-config')(__dirname + '/../..', {
 config.AGENT_ID = uuidv4();
 config.INTEGRATION_ID = config.INTEGRATION_ID.trim();
 config.CLUSTER_NAME = config.CLUSTER_NAME || 'Default cluster';
-config.IMAGE_STORAGE_ROOT = '/snyk-monitor';
+config.IMAGE_STORAGE_ROOT = '/var/tmp';
 
 export = config;

src/common/config.ts

@@ -2,18 +2,25 @@ import * as plugin from 'snyk-docker-plugin';
 import logger = require('../common/logger');
 import { IStaticAnalysisOptions, StaticAnalysisImageType } from './types';
 import { IPullableImage } from '../images/types';
+import config = require('../common/config');
 
 export interface IScanResult {
   image: string;
   imageWithTag: string;
   pluginResult: any;
 }
 
-function removeTagFromImage(imageWithTag: string): string {
+/**
+ * Exported for testing
+ */
+export function removeTagFromImage(imageWithTag: string): string {
   return imageWithTag.split('@')[0].split(':')[0];
 }
 
-function getImageTag(imageWithTag: string): string {
+/**
+ * Exported for testing
+ */
+export function getImageTag(imageWithTag: string): string {
   const imageParts: string[] = imageWithTag.split(':');
   if (imageParts.length === 2) { // image@sha256:hash or image:tag
     return imageParts[1];
@@ -22,17 +29,17 @@ function getImageTag(imageWithTag: string): string {
   return '';
 }
 
-function constructStaticAnalysisOptions(
-  fileSystemPath: string | undefined,
+/**
+ * Exported for testing
+ */
+export function constructStaticAnalysisOptions(
+  fileSystemPath: string,
 ): { staticAnalysisOptions: IStaticAnalysisOptions } {
-  if (!fileSystemPath) {
-    throw new Error('Missing path for image for static analysis');
-  }
-
   return {
     staticAnalysisOptions: {
       imagePath: fileSystemPath,
       imageType: StaticAnalysisImageType.DockerArchive,
+      tmpDirPath: config.IMAGE_STORAGE_ROOT,
     },
   };
 }

src/kube-scanner/image-scanner.ts

@@ -29,6 +29,7 @@ export enum StaticAnalysisImageType {
 export interface IStaticAnalysisOptions {
   imagePath: string;
   imageType: StaticAnalysisImageType;
+  tmpDirPath: string;
 }
 
 export interface KubeObjectMetadata {

src/kube-scanner/types.ts

@@ -0,0 +1,90 @@
+import * as tap from 'tap';
+import { V1Deployment } from '@kubernetes/client-node';
+
+export function validateSecureConfiguration(test: tap, deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].securityContext
+  ) {
+    test.fail('bad container spec or missing securityContext');
+    return;
+  }
+
+  const securityContext =
+    deployment.spec.template.spec.containers[0].securityContext;
+
+  if (!securityContext.capabilities) {
+    test.fail('missing capabilities section in pod securityContext');
+    return;
+  }
+
+  test.same(
+    securityContext.capabilities.drop,
+    ['ALL'],
+    'all capabilities are dropped',
+  );
+
+  if (securityContext.capabilities.add) {
+    test.false(
+      securityContext.capabilities.add.includes('SYS_ADMIN'),
+      'CAP_SYS_ADMIN not added',
+    );
+  }
+
+  test.ok(
+    securityContext.readOnlyRootFilesystem === true,
+    'readOnlyRootFilesystem is set',
+  );
+}
+
+export function validateVolumeMounts(test: tap, deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].volumeMounts
+  ) {
+    test.fail('bad container spec or missing volumeMounts');
+    return;
+  }
+
+  const volumeMounts = deployment.spec.template.spec.containers[0].volumeMounts;
+
+  const temporaryStorageMount = volumeMounts.find(
+    (mount) => mount.name === 'temporary-storage',
+  );
+  if (!temporaryStorageMount) {
+    test.fail('missing deployment mount "temporary-storage"');
+    return;
+  }
+
+  test.same(
+    temporaryStorageMount.mountPath,
+    '/var/tmp',
+    'deployment file mounts temporary storage at the expected path',
+  );
+
+  const dockerConfigMount = volumeMounts.find(
+    (mount) => mount.name === 'docker-config',
+  );
+  if (!dockerConfigMount) {
+    test.fail('missing deployment mount "docker-config"');
+    return;
+  }
+
+  test.same(
+    dockerConfigMount.readOnly,
+    true,
+    'docker-config is a read-only mount',
+  );
+
+  test.same(
+    dockerConfigMount.mountPath,
+    '/root/.docker',
+    'docker-config mount path is as expected',
+  );
+}

test/helpers/deployment.ts

@@ -1,4 +1,4 @@
-import { CoreV1Api, KubeConfig } from '@kubernetes/client-node';
+import { CoreV1Api, KubeConfig, AppsV1Api } from '@kubernetes/client-node';
 import setup = require('../setup');
 import * as tap from 'tap';
 import { getKindConfigPath } from '../helpers/kind';
@@ -9,6 +9,7 @@ import {
   validateHomebaseStoredMetadata,
   getHomebaseResponseBody,
 } from '../helpers/homebase';
+import { validateSecureConfiguration, validateVolumeMounts } from '../helpers/deployment';
 
 let integrationId: string;
 
@@ -162,3 +163,20 @@ tap.test(`snyk-monitor has resource limits`, async (t) => {
   t.ok(monitorResources.requests.cpu !== undefined, 'snyk-monitor has cpu resource request');
   t.ok(monitorResources.requests.memory !== undefined, 'snyk-monitor has memory resource request');
 });
+
+tap.test('snyk-monitor secure configuration is as expected', async (t) => {
+  const kindConfigPath = await getKindConfigPath();
+  const kubeConfig = new KubeConfig();
+  kubeConfig.loadFromFile(kindConfigPath);
+
+  const k8sApi = kubeConfig.makeApiClient(AppsV1Api);
+
+  const response = await k8sApi.readNamespacedDeployment(
+    'snyk-monitor',
+    'snyk-monitor',
+  );
+  const deployment = response.body;
+
+  validateSecureConfiguration(t, deployment);
+  validateVolumeMounts(t, deployment);
+});

test/integration/kubernetes.test.ts

@@ -0,0 +1,24 @@
+import * as tap from 'tap';
+import { parse } from 'yaml';
+import { readFileSync } from 'fs';
+import { V1Deployment } from '@kubernetes/client-node';
+import * as snykConfig from '../../src/common/config';
+import { validateSecureConfiguration, validateVolumeMounts } from '../helpers/deployment';
+
+/**
+ * Note that these checks are also performed at runtime on the deployed snyk-monitor, see the integration tests.
+ */
+
+tap.test('ensure the security properties of the deployment files are unchanged', async (t) => {
+  t.same(snykConfig.IMAGE_STORAGE_ROOT, '/var/tmp', 'the snyk-monitor points to the correct mounted path');
+
+  const deploymentFiles = ['./snyk-monitor/templates/deployment.yaml', './snyk-monitor-deployment.yaml'];
+
+  for (const filePath of deploymentFiles) {
+    const fileContent = readFileSync(filePath, 'utf8');
+    const deployment: V1Deployment = parse(fileContent);
+
+    validateSecureConfiguration(t, deployment);
+    validateVolumeMounts(t, deployment);
+  }
+});