cloudbeat icon indicating copy to clipboard operation
cloudbeat copied to clipboard
verified publisher icon elastic

Remove dependency on PSPs, allowing us to bump K8s libraries' versions

Open kubasobon opened this issue 1 year ago • 2 comments

Description

Cloudbeat relies on Kubernetes (K8s) libraries that provide PodSecurityPolicy definitions. However, due to PSP deprecation, we are stuck with outdated libraries, preventing us from updating other dependencies and remediating CVEs.

Details

PodSecurityPolicies (PSPs) have been deprecated (K8s v1.21) and removed (K8s v1.25). cloudbeat officially supports K8s v1.23, hence we keep all golang libraries that interact with K8s pinned to v0.28. That is the last version containing PSPs, which were removed in v0.29 and later.

Remediating CVEs often requires a bump of a dependency version, which is prevented by the pinned K8s library version.

The one piece of code blocking the upgrade is the dependency on policyv1beta1.PodSecurityPolicy type definition, used to spawn an Informer to watch for events. See: internal/resources/fetching/fetchers/k8s/kube_fetcher.go

Proposed solution

Check if K8s API serves PSPs. If yes, use Dynamic Informer to watch them without having to provide a full type. If not, do not watch them at all (K8s >=v1.25).

Extra examples:

  • https://blog.dsb.dev/posts/creating-dynamic-informers/
  • https://firehydrant.com/blog/dynamic-kubernetes-informers/

kubasobon avatar Jul 24 '24 08:07 kubasobon

PSP Code has been removed on https://github.com/elastic/cloudbeat/pull/2356,

If we decide to not implement the PSP's we still need to remove all the commented infra/test code left behind

romulets avatar Jul 29 '24 07:07 romulets

@jeniawhite I believe the affected rules are as follows:

  • CIS K8s:
    • 1.2.13 - needs to be confirmed; technically it checks API server flags, not PSPs, but PSPs are mentioned
    • 5.2.3 - false positive, description mentions Pod Security Policies, but rule checks for Pod Security Standard field (.spec.hostPID); only the description needs fixing
  • CIS EKS:
    • 4.2.{1, 2, 3, 4, 5, 6, 7, 8, 9} - all reference PSPs, some upstream EKS PSPs; probably no longer applicable

The PR disabled the following:

  • CIS K8s: 5.2.{2,3,4,5,6,7,8,10}
  • CIS EKS: 4.2.{1,2,3,4,5,6}

I believe most of 5.2.x rules (with the exception of 5.2.3) check Pod Security Standards, not PSPs, and only need the Pod definition to evaluate. As for the others, we probably should find out what is the right subset of rules to disable.

kubasobon avatar Jul 29 '24 11:07 kubasobon