terrascan icon indicating copy to clipboard operation
terrascan copied to clipboard

Published 20 hours ago verified publisher icon tenable

Wrong detection of missing SecComp profile (policy: AC_K8S_0080) in K8s YAML file

Open fminna opened this issue 1 year ago • 2 comments

Hello,

  • terrascan version: v1.18.1
  • Operating System: macOS Ventura Version 13.4.1

Description

When scanning a YAML file (Helm chart template), using terrascan, I always get the AC_K8S_0080-secCompProfile violated policy. I tried to define the SecComp profile as an annotation in both the resource metadata and template, and in both the resource and container's securityContext, but still get the violation.

What I Did

Terrascan version:

terrascan version
version: v1.18.1

YAML file:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: release-name-mysql
  namespace: test-ns
  labels:
    app.kubernetes.io/name: mysql
    helm.sh/chart: mysql-9.7.1
    app.kubernetes.io/instance: RELEASE-NAME
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: primary
  annotations:
    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
spec:
  replicas: 1
  podManagementPolicy: ''
  selector:
    matchLabels:
      app.kubernetes.io/name: mysql
      app.kubernetes.io/instance: RELEASE-NAME
      app.kubernetes.io/component: primary
  serviceName: release-name-mysql
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/configuration: 273d9244f42efc02f97b257d30cde438681bdbb466f738a1235b15f0fa4fff87
        container.apparmor.security.beta.kubernetes.io/mysql: runtime/default
        seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
      labels:
        app.kubernetes.io/name: mysql
        helm.sh/chart: mysql-9.7.1
        app.kubernetes.io/instance: RELEASE-NAME
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: primary
    spec:
      serviceAccountName: release-name-mysql
      affinity:
        podAffinity: null
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/name: mysql
                  app.kubernetes.io/instance: RELEASE-NAME
              topologyKey: kubernetes.io/hostname
            weight: 1
        nodeAffinity: null
      securityContext:
        fsGroup: 1001
        seccompProfile:
          type: RuntimeDefault
      initContainers: null
      containers:
      - name: mysql
        image: mysql:8-oracle@sha256:47e045b6313ef483654ac47c31e6fdbfc6ecf6b399a65c03859bee2cfbb1621f
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: true
          runAsUser: 1001
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          seccompProfile:
            type: RuntimeDefault

Terrascan command:

terrascan scan -i k8s -f chart_template.yaml

Terrascan output:

Violation Details -

	Description    :	Default seccomp profile not enabled will make the container to make non-essential system calls
	File           :	chart_template.yaml
	Line           :	151
	Severity       :	MEDIUM
	-----------------------------------------------------------------------

Scan Summary -

	File/Folder         :	chart_template.yaml
	IaC Type            :	k8s
	Scanned At          :	2023-07-05 10:23:39.193272 +0000 UTC
	Policies Validated  :	42
	Violated Policies   :	1
	Low                 :	0
	Medium              :	1
	High                :	0

How can I define the seccomp profile for a resource so that the violation disappears? Thank you.

fminna avatar Jul 05 '23 10:07 fminna

@fminna - I'm also getting same warning

aakanshaverma1310 avatar Aug 16 '23 08:08 aakanshaverma1310

Same here, it's a bug https://github.com/tenable/terrascan/issues/1604 I'm having to add it as a skipped rule in the config.toml for now

NathanJAdams avatar Feb 23 '24 14:02 NathanJAdams