datree
datree copied to clipboard
datreeio
Ensure seccomp profile must not be explicitly set to Unconfined
Describe the solution you'd like
We want to add a new default rule for Containers that ensures seccomp profile is restricted and not set to unconfined.
Requirements
- The rule should be ON by default.
- The rule identifier should be
CONTAINERS_INCORRECT_SECCOMP_PROFILE - The rule should ensure
seccompProfile.typeis not equal tounconfined.seccompProfile.typecan be under these paths:-
spec.securityContext -
spec.containers[*].securityContext -
spec.initContainers[*].securityContext -
spec.ephemeralContainers[*].securityContext
-
How to create new default rule?
- Write the rule logic in JSON schema (but in yaml format). For you convenience you can use our online yaml schema validator tool.
- Add the new rule as default rule:
- Add new entry in the
pkg/defaultRules/defaultRules.yaml. - Increase the
minItems++,maxItems++,maximum++ properties ofrulesinpkg/defaultRules/defaultRulesSchema.json
- Add new entry in the
- Hooray! Submit a PR 🙂
Guidelines
- The issue require Golang basic level and JSON schema familiarity.
- All default rules are written in JSON schema and located in
defaultRulespackage. - The validation itself is happening in the
JsonSchemaValidatorpackage functionValidateYamlSchema.The validation process happens inbl/evaluation/evaluator.go -> evaluateRule(..)for every configuration that exists in every file that exists in a given path. - Checkout rules
CONTAINERS_MISSING_CPU_REQUEST_KEYandARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUEas references.
📖 The reason behind the rule
In Kubernetes container's, the seccomp profile is set within the container’s securityContext. The seccomp profile can be set at pod level or at container level. Running containers/Pods in seccomp=unconfined means one less isolation layer to protect your cluster and is advised against by the security community. No container in your cluster should run as seccomp=unconfined, specially in production environments.
More about seccomp By default, Docker applies a seccomp profile called RuntimeDefault, which is suitable for most workloads. However, when we run Kubernetes, it replaces the default seccomp profile with Unconfined that does not restrict any system call. This means that all pods that do not specify a seccomp profile will automatically run with seccomp=unconfined(in 1.24 the default changed to RuntimeDefault).
Hi @noaabarki . Is there a documentation page on the hub to reference to in the rule?
Isn't it a required field for a rule?
On Sun, Aug 28, 2022 at 11:03 AM Adi Fayer @.***> wrote:
@Heydad-Helfer https://github.com/Heydad-Helfer Not yet, may I ask why exactly do you need the documentation page?
— Reply to this email directly, view it on GitHub https://github.com/datreeio/datree/issues/755#issuecomment-1229402435, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALBCN33Q7KK5SX646JPTTOTV3MMMPANCNFSM553B645A . You are receiving this because you were mentioned.Message ID: @.***>
-- הידד הלפר
Hey @Heydad-Helfer, sorry about that, I accidentally missed it. Do you want to take on this issue? If so, I wrote this article, you can also use it as a reference. Don't hesitate to ask any question :)
Hi Noa, yes, I'd like to take this issue. I already opened a PR, but I still need to add the documentation link.
Thanks!
On Sun, Aug 28, 2022, 13:26 Noaa Barki @.***> wrote:
Hey @Heydad-Helfer https://github.com/Heydad-Helfer, sorry about that, I accidentally missed it. Do you want to take on this issue? If so, I wrote this article https://www.datree.io/resources/eks-best-practices-you-should-know, you can also use it as a reference. Don't hesitate to ask any question :)
— Reply to this email directly, view it on GitHub https://github.com/datreeio/datree/issues/755#issuecomment-1229427164, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALBCN362XJNR5BJ2SL4DGDTV3M5D3ANCNFSM553B645A . You are receiving this because you were mentioned.Message ID: @.***>