-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathControllerReadOnlyFileSystem.yaml
More file actions
61 lines (55 loc) · 2.53 KB
/
ControllerReadOnlyFileSystem.yaml
File metadata and controls
61 lines (55 loc) · 2.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
apiVersion: pac.weave.works/v2beta3
kind: Policy
metadata:
name: weave.policies.containers-read-only-root-filesystem
spec:
id: weave.policies.containers-read-only-root-filesystem
name: Containers Read Only Root Filesystem
enforce: true
description: "This Policy will cause a violation if the root file system is not mounted as specified. As a security practice, the root file system should be read-only or expose risk to your nodes if compromised. \n\nThis Policy requires containers must run with a read-only root filesystem (i.e. no writable layer).\n"
how_to_solve: "Set `readOnlyRootFilesystem` in your `securityContext` to the value specified in the Policy. \n```\n...\n spec:\n containers:\n - securityContext:\n readOnlyRootFilesystem: <read_only>\n```\n\nhttps://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems\n"
category: weave.categories.pod-security
severity: high
targets: {kinds: [Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
standards:
- id: weave.standards.mitre-attack
controls:
- weave.controls.mitre-attack.3.2
- id: weave.standards.nist-800-190
controls:
- weave.controls.nist-800-190.4.4.4
tags: [mitre-attack, nist800-190]
parameters:
- name: read_only
type: boolean
required: true
value: true
code: |
package weave.advisor.podSecurity.enforce_ro_fs
import future.keywords.in
read_only = input.parameters.read_only
violation[result] {
some i
containers := controller_spec.containers[i]
root_fs := containers.securityContext.readOnlyRootFilesystem
not root_fs == read_only
result = {
"issue detected": true,
"msg": sprintf("readOnlyRootFilesystem should equal '%v'; detected '%v'", [read_only, root_fs]),
"recommended_value": read_only,
"violating_key": sprintf("spec.template.spec.containers[%v].securityContext.readOnlyRootFilesystem", [i])
}
}
# Controller input
controller_input = input.review.object
# controller_container acts as an iterator to get containers from the template
controller_spec = controller_input.spec.template.spec {
contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"})
} else = controller_input.spec {
controller_input.kind == "Pod"
} else = controller_input.spec.jobTemplate.spec.template.spec {
controller_input.kind == "CronJob"
}
contains_kind(kind, kinds) {
kinds[_] = kind
}