Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding more container runtime sockets #497

Merged
merged 3 commits into from
Aug 13, 2023
Merged

Adding more container runtime sockets #497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
43139fb
Adding more container runtime sockets
amitschendel Aug 13, 2023
63bfb9c
Fixing rule docs
amitschendel Aug 13, 2023
2e9c24a
Adding tests
amitschendel Aug 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions controls/C-0074-containersmountingdockersocket.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
"devops"
]
},
"description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.",
"remediation": "Remove docker socket mount request or define an exception.",
"description": "Mounting Container runtime socket (Unix socket) enables container to access Container runtime, retrieve sensitive information and execute commands, if Container runtime is available. This control identifies PODs that attempt to mount Container runtime socket for accessing Container runtime.",
"remediation": "Remove container runtime socket mount request or define an exception.",
"rulesNames": [
"containers-mounting-docker-socket"
],
"long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.",
"test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.",
"test": "Check hostpath. If the path is set to one of the container runtime socket, the container has access to container runtime - fail.",
"controlID": "C-0074",
"baseScore": 5.0,
"scanningScope": {
Expand Down
18 changes: 13 additions & 5 deletions rules/containers-mounting-docker-socket/raw.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ deny[msga] {
pod.kind == "Pod"
volume := pod.spec.volumes[i]
host_path := volume.hostPath
is_docker_mounting(host_path)
is_runtime_socket_mounting(host_path)
path := sprintf("spec.volumes[%v].hostPath.path", [format_int(i, 10)])
msga := {
"alertMessage": sprintf("volume: %v in pod: %v has mounting to Docker internals.", [volume.name, pod.metadata.name]),
Expand All @@ -28,7 +28,7 @@ deny[msga] {
spec_template_spec_patterns[wl.kind]
volume := wl.spec.template.spec.volumes[i]
host_path := volume.hostPath
is_docker_mounting(host_path)
is_runtime_socket_mounting(host_path)
path := sprintf("spec.template.spec.volumes[%v].hostPath.path", [format_int(i, 10)])
msga := {
"alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]),
Expand All @@ -48,7 +48,7 @@ deny[msga] {
wl.kind == "CronJob"
volume = wl.spec.jobTemplate.spec.template.spec.volumes[i]
host_path := volume.hostPath
is_docker_mounting(host_path)
is_runtime_socket_mounting(host_path)
path := sprintf("spec.jobTemplate.spec.template.spec.volumes[%v].hostPath.path", [format_int(i, 10)])
msga := {
"alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]),
Expand All @@ -63,10 +63,18 @@ deny[msga] {
}


is_docker_mounting(host_path) {
is_runtime_socket_mounting(host_path) {
host_path.path == "/var/run/docker.sock"
}

is_docker_mounting(host_path) {
is_runtime_socket_mounting(host_path) {
host_path.path == "/var/run/docker"
}

is_runtime_socket_mounting(host_path) {
host_path.path == "/run/containerd/containerd.sock"
}

is_runtime_socket_mounting(host_path) {
host_path.path == "/var/run/crio/crio.sock"
}
2 changes: 1 addition & 1 deletion rules/containers-mounting-docker-socket/rule.metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
}
],
"ruleDependencies": [],
"description": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.",
"description": "Check hostpath. If the path is set to one of the container runtime socket, the container has access to container runtime - fail.",
"remediation": "",
"ruleQuery": "armo_builtins"
}
23 changes: 23 additions & 0 deletions rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[
{
"alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.",
"failedPaths": [
"spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 5,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "batch/v1beta1",
"kind": "CronJob",
"metadata": {
"name": "hello"
}
}
]
}
}
]
24 changes: 24 additions & 0 deletions rules/containers-mounting-docker-socket/test/cronjob-containerd/input/cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /run/containerd/containerd.sock #we are looking for this
- name : test-volume2
hostPath :
path : /var
restartPolicy: OnFailure
23 changes: 23 additions & 0 deletions rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[
{
"alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.",
"failedPaths": [
"spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 5,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "batch/v1beta1",
"kind": "CronJob",
"metadata": {
"name": "hello"
}
}
]
}
}
]
24 changes: 24 additions & 0 deletions rules/containers-mounting-docker-socket/test/cronjob-crio/input/cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /var/run/crio/crio.sock #we are looking for this
- name : test-volume2
hostPath :
path : /var
restartPolicy: OnFailure
23 changes: 23 additions & 0 deletions rules/containers-mounting-docker-socket/test/pod-containerd/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[
{
"alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.",
"failedPaths": [
"spec.volumes[0].hostPath.path"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 5,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "test-pd"
}
}
]
}
}
]
18 changes: 18 additions & 0 deletions rules/containers-mounting-docker-socket/test/pod-containerd/input/pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1

Check warning

Code scanning / kubescape

Ingress and Egress blocked Warning test

Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
kind: Pod
metadata:
name: test-pd

Check warning

Code scanning / kubescape

CIS-5.7.4 The default namespace should not be used Warning test

Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
spec:
containers:

Check warning

Code scanning / kubescape

CIS-5.7.3 Apply Security Context to Your Pods and Containers Warning test

Apply Security Context to Your Pods and Containers
- image: k8s.gcr.io/test-webserver

Check warning

Code scanning / kubescape

Allow privilege escalation Warning test

Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.

Check warning

Code scanning / kubescape

Linux hardening Warning test

Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.

Check warning

Code scanning / kubescape

Non-root containers Warning test

Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.

Check notice

Code scanning / kubescape

Immutable container filesystem Note test

Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.

Check warning

Code scanning / kubescape

CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions Warning test

Enable docker/default seccomp profile in your pod definitions.

Check warning

Code scanning / kubescape

Resource limits Warning test

CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.
name: test-container
volumeMounts:
- mountPath: /test-pd

Check warning

Code scanning / kubescape

Writable hostPath mount Warning test

Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.
name: test-volume
volumes:
- name: test-volume

Check warning

Code scanning / kubescape

CIS-4.4.2 Consider external secret storage Warning test

Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.
hostPath:
path: /run/containerd/containerd.sock #we are looking for this parameter
- name : test-volume2
hostPath :
path : /var

Check warning

Code scanning / kubescape

HostPath mount Warning test

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.
23 changes: 23 additions & 0 deletions rules/containers-mounting-docker-socket/test/pod-crio/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[
{
"alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.",
"failedPaths": [
"spec.volumes[0].hostPath.path"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 5,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "test-pd"
}
}
]
}
}
]
18 changes: 18 additions & 0 deletions rules/containers-mounting-docker-socket/test/pod-crio/input/pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1

Check warning

Code scanning / kubescape

Ingress and Egress blocked Warning test

Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
kind: Pod
metadata:
name: test-pd

Check warning

Code scanning / kubescape

CIS-5.7.4 The default namespace should not be used Warning test

Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
spec:
containers:

Check warning

Code scanning / kubescape

CIS-5.7.3 Apply Security Context to Your Pods and Containers Warning test

Apply Security Context to Your Pods and Containers
- image: k8s.gcr.io/test-webserver

Check warning

Code scanning / kubescape

Allow privilege escalation Warning test

Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.

Check warning

Code scanning / kubescape

Linux hardening Warning test

Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.

Check warning

Code scanning / kubescape

Non-root containers Warning test

Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.

Check notice

Code scanning / kubescape

Immutable container filesystem Note test

Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.

Check warning

Code scanning / kubescape

CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions Warning test

Enable docker/default seccomp profile in your pod definitions.

Check warning

Code scanning / kubescape

Resource limits Warning test

CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.
name: test-container
volumeMounts:
- mountPath: /test-pd

Check warning

Code scanning / kubescape

Writable hostPath mount Warning test

Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.
name: test-volume
volumes:
- name: test-volume

Check warning

Code scanning / kubescape

CIS-4.4.2 Consider external secret storage Warning test

Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.
hostPath:
path: /var/run/crio/crio.sock #we are looking for this parameter

Check warning

Code scanning / kubescape

HostPath mount Warning test

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.
- name : test-volume2
hostPath :
path : /var
26 changes: 26 additions & 0 deletions rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[
{
"alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.",
"failedPaths": [
"spec.template.spec.volumes[1].hostPath.path"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 5,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"purpose": "demonstrate-command"
},
"name": "my-deployment"
}
}
]
}
}
]
40 changes: 40 additions & 0 deletions rules/containers-mounting-docker-socket/test/workloads-containerd/input/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: apps/v1

Check warning

Code scanning / kubescape

Ingress and Egress blocked Warning test

Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.
kind: Deployment
metadata:
name: my-deployment

Check warning

Code scanning / kubescape

CIS-5.7.4 The default namespace should not be used Warning test

Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
labels:
purpose: demonstrate-command
spec:
selector:
matchLabels:
purpose: demonstrate-command
template:
metadata:
labels:
purpose: demonstrate-command
spec:
containers :
- name : test-container

Check warning

Code scanning / kubescape

Resource limits Warning test

CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.
image : k8s.gcr.io/test-webserver
securityContext:
readOnlyRootFilesystem: false

Check warning

Code scanning / kubescape

Allow privilege escalation Warning test

Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.

Check warning

Code scanning / kubescape

Linux hardening Warning test

Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.

Check warning

Code scanning / kubescape

Non-root containers Warning test

Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.

Check notice

Code scanning / kubescape

Immutable container filesystem Note test

Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.

Check warning

Code scanning / kubescape

CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions Warning test

Enable docker/default seccomp profile in your pod definitions.
volumeMounts :
- mountPath : /test-pd
readOnly: true
name : test-volume
- mountPath : /test-pd2
readOnly: false

Check warning

Code scanning / kubescape

Writable hostPath mount Warning test

Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.
name : test-volume
- name : test-container2
image : k8s.gcr.io/test-webserver
securityContext:
privileged : true

Check warning

Code scanning / kubescape

Privileged container Warning test

Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary. This control identifies all the privileged Pods.

Check warning

Code scanning / kubescape

CIS-5.7.3 Apply Security Context to Your Pods and Containers Warning test

Apply Security Context to Your Pods and Containers
- name : test-container3
image : k8s.gcr.io/test-webserver
volumes :
- name : test-volume

Check warning

Code scanning / kubescape

CIS-4.4.2 Consider external secret storage Warning test

Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.
hostPath :
path : /var

Check warning

Code scanning / kubescape

HostPath mount Warning test

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.
- name : test-volume2
hostPath :
path : /run/containerd/containerd.sock #we are looking for this
26 changes: 26 additions & 0 deletions rules/containers-mounting-docker-socket/test/workloads-crio/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[
{
"alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.",
"failedPaths": [
"spec.template.spec.volumes[1].hostPath.path"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 5,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"purpose": "demonstrate-command"
},
"name": "my-deployment"
}
}
]
}
}
]
Loading
Loading