Helm chart scans use only 4 policies

[MMerzinger]

Hello everyone

• terrascan version: 1.8.1 (also applies to 1.7.0)
• Operating System: Docker / ubuntu 20.04

Description

I tried to scan a helm chart with the latest version of Terrascan using Docker and the binary on ubuntu. Unfortunately, terrascan only used 4 policies and not the whole policy set available for Kubernetes resources.

What I Did

I used the docker image and a fresh installation on ubuntu 20.04.

First: Create a new Helm chart.
helm create demo

I used helm 3.6.2. To make sure it definitely violates a policy I modified the values file by adding these lines:

securityContext:
  runAsUser: 0
  runAsNonRoot: false

Next I scanned the chart:

docker run -it --rm -v $(pwd)/charts:/iac --workdir /iac  accurics/terrascan:1.8.1 scan -i helm
Unable to find image 'accurics/terrascan:1.8.1' locally
1.8.1: Pulling from accurics/terrascan
df20fa9351a1: Already exists
9fcc4075d037: Pull complete
ff48bb80287c: Pull complete
70908e19cba3: Pull complete
00b40155f92c: Pull complete
15a98698a174: Pull complete
Digest: sha256:2ad293e6fbd19ea75b9d25acdefb6098395684f79328c4593c9549140b35afbb
Status: Downloaded newer image for accurics/terrascan:1.8.1


Scan Summary -

	File/Folder         :	/iac
	IaC Type            :	helm
	Scanned At          :	2021-07-24 19:09:18.9616982 +0000 UTC
	Policies Validated  :	4
	Violated Policies   :	0
	Low                 :	0
	Medium              :	0
	High                :	0

Next I tried it with version 1.7.0:

docker run -it --rm -v $(pwd)/charts:/iac --workdir /iac  accurics/terrascan:1.7.0 scan -i helm
Unable to find image 'accurics/terrascan:1.7.0' locally
1.7.0: Pulling from accurics/terrascan
df20fa9351a1: Already exists
5573de2bbb21: Pull complete
bde05d5a695f: Pull complete
6e85805bce45: Pull complete
3e31be7992c2: Pull complete
46afa3f6a65b: Pull complete
Digest: sha256:4ccc3598a90cf08580dca2a21ebbc7ee8424ef3537b90dac1bb3f600eca70f5e
Status: Downloaded newer image for accurics/terrascan:1.7.0


Scan Summary -

	File/Folder         :	/iac
	IaC Type            :	helm
	Scanned At          :	2021-07-24 19:00:14.8795938 +0000 UTC
	Policies Validated  :	4
	Violated Policies   :	0
	Low                 :	0
	Medium              :	0
	High                :	0

Same result. So I tried it with 1.6.0:

docker run -it --rm -v $(pwd)/charts:/iac --workdir /iac  accurics/terrascan:1.6.0 scan -i helm
Unable to find image 'accurics/terrascan:1.6.0' locally
1.6.0: Pulling from accurics/terrascan
df20fa9351a1: Already exists
b4cc373f0b82: Pull complete
7cce144db54e: Pull complete
0ed4f5362aea: Pull complete
fed0fb7e8227: Pull complete
a50e1d0c88c9: Pull complete
Digest: sha256:7536a5823efac9536b419ae705ebb68182c0c6679f831583e35849ff5f041526
Status: Downloaded newer image for accurics/terrascan:1.6.0


Violation Details -

	Description    :	AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------

	Description    :	Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------

	Description    :	Ensure default name space is not in use in Kubernetes Namespace
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	LOW
	-----------------------------------------------------------------------

	Description    :	Minimize Admission of Root Containers
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	HIGH
	-----------------------------------------------------------------------

	Description    :	CPU Request Not Set in config file.
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	Medium
	-----------------------------------------------------------------------

	Description    :	Memory Request Not Set in config file.
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	Medium
	-----------------------------------------------------------------------

	Description    :	Memory Limits Not Set in config file.
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	Medium
	-----------------------------------------------------------------------

	Description    :	Containers Should Not Run with AllowPrivilegeEscalation
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	HIGH
	-----------------------------------------------------------------------

	Description    :	Default seccomp profile not enabled will make the container to make non-essential system calls
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------

	Description    :	Image without digest affects the integrity principle of image security
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------

	Description    :	CPU Limits Not Set in config file.
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	Medium
	-----------------------------------------------------------------------

	Description    :	Containers Should Run as a High UID to Avoid Host Conflict
	File           :	demo/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------


Scan Summary -

	File/Folder         :	/iac
	IaC Type            :	helm
	Scanned At          :	2021-07-24 19:01:38.3862956 +0000 UTC
	Policies Validated  :	757
	Violated Policies   :	12
	Low                 :	1
	Medium              :	9
	High                :	2

Now we have some policy violations.

FYI: I had the same results with fresh installations on ubuntu. Playing around with categories, e.g. by explicitly selecting the kubernetes_pod category results in an error:

docker run -it --rm -v $(pwd)/charts:/iac --workdir /iac  accurics/terrascan:1.8.1 scan -i helm --categories kubernetes_pod
2021-07-24T19:14:16.722Z	error	cli/run.go:114	scan run failed{error 26 0  category not supported : [KUBERNETES_POD]}

[cesar-rodriguez]

I was able to reproduce the issue in Terrascan versions higher than 1.6.0.

$ docker run -it --rm accurics/terrascan:1.6.0 scan -i helm -r git -u github.com/helm/charts//stable//wordpress


Violation Details -
    
	Description    :	Containers Should Not Run with AllowPrivilegeEscalation
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	HIGH
	-----------------------------------------------------------------------
	
	Description    :	Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	
	Description    :	Minimize Admission of Root Containers
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	HIGH
	-----------------------------------------------------------------------
	
	Description    :	AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	
	Description    :	Prefer using secrets as files over secrets as environment variables
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	HIGH
	-----------------------------------------------------------------------
	
	Description    :	Apply Security Context to Your Pods and Containers
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	
	Description    :	CPU Limits Not Set in config file.
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	Medium
	-----------------------------------------------------------------------
	
	Description    :	Memory Limits Not Set in config file.
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	Medium
	-----------------------------------------------------------------------
	
	Description    :	Default seccomp profile not enabled will make the container to make non-essential system calls
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	
	Description    :	Ensure default name space is not in use in Kubernetes Namespace
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	LOW
	-----------------------------------------------------------------------
	
	Description    :	Image without digest affects the integrity principle of image security
	File           :	wordpress/templates/deployment.yaml
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	
	Description    :	Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service
	File           :	wordpress/templates/svc.yaml
	Line           :	1
	Severity       :	LOW
	-----------------------------------------------------------------------
	

Scan Summary -

	File/Folder         :	/tmp/sca1bj/stable/wordpress
	IaC Type            :	helm
	Scanned At          :	2021-07-24 20:12:43.305551 +0000 UTC
	Policies Validated  :	757
	Violated Policies   :	12
	Low                 :	2
	Medium              :	7
	High                :	3

$ docker run -it --rm accurics/terrascan:1.8.1 scan -i helm -r git -u github.com/helm/charts//stable//wordpress


Violation Details -
    
	Description    :	Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service
	File           :	wordpress/templates/svc.yaml
	Line           :	1
	Severity       :	LOW
	-----------------------------------------------------------------------
	

Scan Summary -

	File/Folder         :	github.com/helm/charts//stable//wordpress
	IaC Type            :	helm
	Scanned At          :	2021-07-24 20:14:03.9299656 +0000 UTC
	Policies Validated  :	4
	Violated Policies   :	1
	Low                 :	1
	Medium              :	0
	High                :	0

$ docker run -it --rm accurics/terrascan:1.7.0 scan -i helm -r git -u github.com/helm/charts//stable//wordpress
Unable to find image 'accurics/terrascan:1.7.0' locally
1.7.0: Pulling from accurics/terrascan
df20fa9351a1: Already exists 
5573de2bbb21: Pull complete 
bde05d5a695f: Pull complete 
6e85805bce45: Pull complete 
3e31be7992c2: Pull complete 
46afa3f6a65b: Pull complete 
Digest: sha256:4ccc3598a90cf08580dca2a21ebbc7ee8424ef3537b90dac1bb3f600eca70f5e
Status: Downloaded newer image for accurics/terrascan:1.7.0


Violation Details -
    
	Description    :	Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service
	File           :	wordpress/templates/svc.yaml
	Line           :	1
	Severity       :	LOW
	-----------------------------------------------------------------------
	

Scan Summary -

	File/Folder         :	/tmp/0c5scj/stable/wordpress
	IaC Type            :	helm
	Scanned At          :	2021-07-24 20:17:12.0393351 +0000 UTC
	Policies Validated  :	4
	Violated Policies   :	1
	Low                 :	1
	Medium              :	0
	High                :	0

[kanchwala-yusuf]

Hi @MMerzinger,
Thank you for reporting this. Here is my understanding of the issue:

The scan behavior before 1.6.0 was to evaluate a given resource config against all the available policies which also included irrelevant policies for aws, gcp, azure and k8s and the count of Policies Validated = 757.

In 1.7.0 we introduced a concept of filters which evaluated a resource config only for relevant policies based on resource type. In this case, I feel that there is an issue with RegoMetadataPreLoadFilter.

We need to investigate why RegoMetadataPreLoadFilter is not picking up all the relevant policies for helm

[MMerzinger]

Hi @kanchwala-yusuf,

I wasn't aware of the filter concept in version 1.7.0, but I definitely agree on only validating the policies that are applicable to the resource type.

[patilpankaj212]

Hello @cesar-rodriguez, @kanchwala-yusuf,

The root cause of this issue is that a few of the kubernetes_pod policies are handling multiple types (kubernetes_deployment, kubernetes_job, kubernetes_replica_set etc) for finding violations. However, the metadata of these policies do not include all the resource types they are handling, due to which these policies are filtered out by the PreScanFilter.
We should modify the metadata of all the policies in such a way that it includes multiple resource types they are handling, but it would be a huge task.
As a temporary fix, we can add a condition in the PreScanFilter for the kubernetes policies so that they are not filtered.
Please let me know your opinion.

Thanks