Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

Not finding errors in deployment #523

Open
1 of 2 tasks
mtcolman opened this issue Feb 1, 2023 · 4 comments · May be fixed by #571
Open
1 of 2 tasks

Not finding errors in deployment #523

mtcolman opened this issue Feb 1, 2023 · 4 comments · May be fixed by #571

Comments

@mtcolman
Copy link

mtcolman commented Feb 1, 2023

ISSUE TYPE
  • Bug Report
  • Feature Idea

BUG REPORT

SUMMARY

I'm testing a deployment.yaml with low/no securityContexts within, and kubeaudit is not reporting any findings.

ENVIRONMENT
  • Kubeaudit version: 0.21.0
  • Kubeaudit install method: Linux, Ubuntu tar and mv to /usr/local/bin
STEPS TO REPRODUCE

Use this yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
  labels:
    app.kubernetes.io/name: mysql
    app.kubernetes.io/instance: mysql-abcxzy
    app.kubernetes.io/version: "5.7.21"
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: wordpress
    app.kubernetes.io/managed-by: helm
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-kubernetes
      release: 1.7
  template:
    metadata:
      labels:
        app: hello-kubernetes
        release: 1.7
    spec:
#      securityContext:
#        runAsNonRoot: true
      containers:
      - name: container-one
        image: mytest/container-one:1.5
#        securityContext:
#          runAsNonRoot: true
        ports:
        - containerPort: 8080
      - name: container-two
        image: mytest/container-two:2.2
#        securityContext:
#          runAsNonRoot: true
        ports:
        - containerPort: 9000
EXPECTED RESULTS

I expected a lot of results of missing securityContexts and security related settings

ACTUAL RESULTS
$ kubeaudit all -f "deployment.yaml"
All checks completed. 0 high-risk vulnerabilities found
ADDIITONAL INFO

A similar test with a pod manifest worked as follows:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
#  securityContext:
#    runAsNonRoot: true
  containers:
    - name: container-one
      image: mytest/container-one:1.5
      securityContext:
        runAsNonRoot: true
      ports:
      - containerPort: 8080
    - name: container-two
      image: mytest/container-two:2.2
#      securityContext:
#        runAsNonRoot: true
      ports:
      - containerPort: 9000

$ kubeaudit all -f "pod.yaml"

---------------- Results for ---------------

  apiVersion: v1
  kind: Pod
  metadata:
    name: example-pod

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-one' should be added.
   Metadata:
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-one
      Container: container-one

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-two' should be added.
   Metadata:
      Container: container-two
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-two

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.

-- [error] CapabilityOrSecurityContextMissing
   Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
   Metadata:
      Container: container-one

-- [error] CapabilityOrSecurityContextMissing
   Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL.
   Metadata:
      Container: container-two

-- [warning] LimitsNotSet
   Message: Resource limits not set.
   Metadata:
      Container: container-one

-- [warning] LimitsNotSet
   Message: Resource limits not set.
   Metadata:
      Container: container-two

-- [error] RunAsNonRootPSCNilCSCNil
   Message: runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.
   Metadata:
      Container: container-two

-- [error] AllowPrivilegeEscalationNil
   Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
   Metadata:
      Container: container-one

-- [error] AllowPrivilegeEscalationNil
   Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
   Metadata:
      Container: container-two

-- [warning] PrivilegedNil
   Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
   Metadata:
      Container: container-one

-- [warning] PrivilegedNil
   Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.
   Metadata:
      Container: container-two

-- [error] ReadOnlyRootFilesystemNil
   Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
   Metadata:
      Container: container-one

-- [error] ReadOnlyRootFilesystemNil
   Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
   Metadata:
      Container: container-two

-- [error] SeccompProfileMissing
   Message: Pod Seccomp profile is missing. Seccomp profile should be added to the pod SecurityContext.
@github-actions
Copy link

github-actions bot commented Feb 1, 2023

Thanks for opening your first issue here! Be sure to follow the issue template!

@dani-santos-code
Copy link
Contributor

thank you for the bug report @mtcolman. Will try to reproduce on my end. Are you looking into implementing a fix or should we go ahead and fix it?

@mtcolman
Copy link
Author

mtcolman commented Mar 2, 2023

@dani-santos-code thanks for getting back to me - I've now remembered that the issue was due to the labels:

release: 1.7

Needed to be changed to have quotes:

release: "1.7"

And then it worked:

kubeaudit all -f "deployment.yaml"

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: hello-kubernetes

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container-one' should be added.
   Metadata:
      Container: container-one
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container-one
...
...

So I think your code needs to handle if key/value pairs are incorrectly configured - i.e. it should realise it can/can't scan and then exit gracefully, rather than telling me there are no issues (when there clearly are some, as it found them when I've corrected a key/value error).

@mtcolman
Copy link
Author

mtcolman commented Mar 2, 2023

And I'd be very grateful if you could please provide the fix (as I don't know how).

@fedeztk fedeztk linked a pull request Sep 1, 2023 that will close this issue
Open
11 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix unmarshal errors not found for known k8s schema fedeztk/kubeaudit
2 participants
@dani-santos-code @mtcolman