checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

PodSecurityContext ignored for related checks

Open sgspinola opened this issue 3 years ago • 4 comments
trafficstars

Describe the issue For checks like CKS_K8S_28 or CKS_K8S_31, checkov fails to recognise the presence of a securityContext addressing the specific configuration at Pod level. As per the documentation at Set the securityContext for a Pod:

The security settings that you specify for a Pod apply to all Containers in the Pod.

So I expect Checkov to be aware of this field when it comes to related checks. Is there any logic I might be missing for this behaviour?

Examples The following sample Deployment fails when checked against CKS_K8S_28:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysample-deployment
spec:
  replicas: 1
  template:
    spec:
      securityContext:
        capabilities:
          drop:
          - all
      initContainers:
        - name: init
          image: myimage
          imagePullPolicy: IfNotPresent
          # securityContext:
          #   capabilities:
          #     drop:
          #     - all
      terminationGracePeriodSeconds: 60
      containers:
        - name: main
          image: myimage
          imagePullPolicy: IfNotPresent
          # securityContext:
          #   capabilities:
          #     drop:
          #     - all

Output:

Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
        FAILED for resource: Deployment.default.mysample-deployment
        File: /sample.yaml:1-25
        Guide: https://docs.bridgecrew.io/docs/bc_k8s_27

                1  | apiVersion: apps/v1
                2  | kind: Deployment
                3  | metadata:
                4  |   name: mysample-deployment
                5  | spec:
                6  |   replicas: 1
                7  |   template:
                 ...

But when applied on initContainers and containers, it passes the check:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysample-deployment
spec:
  replicas: 1
  template:
    spec:
      # securityContext:
      #   capabilities:
      #     drop:
      #     - all
      initContainers:
        - name: init
          image: myimage
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              drop:
              - all
      terminationGracePeriodSeconds: 60
      containers:
        - name: main
          image: myimage
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              drop:
              - all

Output:

$ checkov --directory . --quiet --framework kubernetes --check CKV_K8S_28
kubernetes scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0

Version (please complete the following information):

  • Checkov Version: 2.1.90

Additional context Installed through pip3

sgspinola avatar Aug 03 '22 12:08 sgspinola

hey @fillodemanuel thanks for reaching out. You are right, we don't consider the securityContext under spec block. Are you interested in contributing the needed changes?

gruebel avatar Aug 19 '22 10:08 gruebel

Hi @gruebel, I won't have much availability in the coming weeks but i'll give it a try!

sgspinola avatar Aug 19 '22 12:08 sgspinola

Hi @gruebel can I take a shot at this , I see that the code here has to be modified to consider below spec cases for the security contexts https://github.com/bridgecrewio/checkov/blob/0892daf98384b045c7c84984503dc0b0a0f70d2f/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py#L17

DiptoChakrabarty avatar Sep 17 '22 13:09 DiptoChakrabarty

hey @DiptoChakrabarty, sure go ahead 🙂 For adding tests you will need to look here https://github.com/bridgecrewio/checkov/tree/0892daf98384b045c7c84984503dc0b0a0f70d2f/tests/kubernetes/checks/example_DropCapabilities and here https://github.com/bridgecrewio/checkov/blob/0892daf98384b045c7c84984503dc0b0a0f70d2f/tests/kubernetes/checks/test_DropCapabilities.py

gruebel avatar Sep 17 '22 15:09 gruebel

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Mar 16 '23 18:03 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Mar 31 '23 01:03 stale[bot]

Hi, I'm looking at this and trying to come up with a solution but I hit a wall.

The base_container_check now checks the entire Spec block including the securityContext at a pod level. However, to prevent the scan from failing even if the securityContext is set at pod level because it does not detect the securityContext in the (init)container I changed the if result == CheckResult.FAILED: return CheckResult.FAILED

to:

if result == CheckResult.PASSED: return CheckResult.PASSED

This stops evaluating if the securityContext is set at the pod level but keeps going if it's missing. The problem is now, if I set AllowPrivilegeEscalation to False at the Podlevel but also specify it at the (init)container level and set it to True, it still passes the check. I can't figure out how to check if it's set at Pod level AND (init)container level. I thought about checking if the securityContext is set at the (init)container level and if True then keep evaluating, if False stop. But other settings could be set at the lower (init)container level which have nothing to do with the current check.

Hope this made sense, happy to hear what anyone thinks.

jgardezy avatar Apr 05 '23 10:04 jgardezy