regolibrary icon indicating copy to clipboard operation
regolibrary copied to clipboard
verified publisher icon kubescape

Fix linux-hardening rule to properly evaluate containers with partial hardening

Open Copilot opened this issue 2 months ago • 5 comments

Overview

The linux-hardening rule incorrectly passed containers that had partial security hardening (e.g., capabilities.drop but no seccomp). The original logic required ALL mechanisms (seccomp AND selinux AND capabilities) to be missing before flagging. Additionally, initContainers were never evaluated.

Changes:

  • Fixed evaluation logic: A container is now flagged only if it has NONE of: seccomp (pod/container level), selinux (pod/container level), apparmor (pod level), or capabilities.drop (container level)
  • Added initContainer support: Both regular containers and initContainers are now checked
  • Proper inheritance: Pod-level security contexts that apply to all containers are correctly evaluated

Example scenario that now fails correctly:

spec:
  containers:
  - name: proxy
    securityContext:
      seccompProfile:
        type: RuntimeDefault
  - name: app
    securityContext:
      capabilities:
        drop: [ALL]
      # Missing seccomp - now correctly flagged as unsafe

Additional Information

Added 6 test cases covering:

  • Mixed security configurations across containers
  • Pod-level vs container-level inheritance
  • InitContainers without hardening
  • Partial hardening scenarios

All existing tests pass, confirming backward compatibility.

Related issues/PRs:

  • Addresses issue with Kubescape not reporting Linux hardening correctly for pods with multiple containers

Checklist before requesting a review

  • [x] My code follows the style guidelines of this project
  • [x] I have commented on my code, particularly in hard-to-understand areas
  • [x] I have performed a self-review of my code
  • [x] If it is a core feature, I have added thorough tests.
  • [x] New and existing unit tests pass locally with my changes
Original prompt

This section details on the original issue you should resolve

<issue_title>Kubescape does not report control: Linux hardening correctly</issue_title> <issue_description># Description

Kubescape was not able to report Linux hardening correctly for scenario where pod definition has multiple containers and if seccomp runtime default profile is missing in one of the containers

Environment

OS: Oracle Linux 7 Version: v3.0.35

Steps To Reproduce

Expected behavior

For pod having multiple containers, seccomp profile needs to be checked for all of them and in case its missing for any, it should report for that container

Actual Behavior

For pod having multiple containers, seccomp profile was present for only 2 containers, and not others. But kubescape gave it a pass for the rest and did not report.

Additional context

Details:

Defined: initContainer linkerd-init: securityContext.seccompProfile.type: RuntimeDefault container linkerd-proxy: securityContext.seccompProfile.type: RuntimeDefault Missing: main application container : no seccompProfile set pod-level spec.securityContext is empty (no pod-wide seccomp profile)</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes kubescape/regolibrary#684

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot avatar Dec 03 '25 16:12 Copilot