New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added control and rule for Kubernetes Aggregated API Server Redirection Vulnerability [CVE 2022-3172] #304
Conversation
…on Vulnerability [CVE 2022-3172] Signed-off-by: Karanjot Singh <drquark@duck.com>
Hey @0xquark , I think it is important to create test for every control. We have a small test framework, @Daniel-GrunbergerCA , can you help us? |
Signed-off-by: Karanjot Singh <drquark@duck.com>
@slashben Thank you for the review. I've added the test but i am unable to setup the test environment locally and test the changes. The kubescape documentation for testrunner redirects to same page while clicking on |
Hi @0xquark, and thanks for your contribution. This is really appreciated. |
@alegrey91 thanks! How can i install testrunner/opaprocessor package? |
@0xquark actually you should not need to install it. |
|
Great! Can you please share how did you solve the problem? |
The last one is maybe because go-oidc recently changed their import path ( https://github.com/coreos/go-oidc ) |
Did you run |
ah! My bad! I forgot to run it that's why the missing packages |
You're welcome ;) |
Signed-off-by: Karanjot Singh <drquark@duck.com> - Imported future.keywords - used .yaml input instead of .json ( doesn't make much difference ) - fixed vulnerable_version format
I tried running tests for the policy and it is resulting in an unmarshaling error
I tried fixing this by changing the structure of vulnerable_version to be a list instead of object but it turns out to be no good. From my understanding, it indicates that json.Unmarshal cannot unmarshal the variable's value into a reporthandling.RuleResponse type. I think vulnerable_version is being interpreted as a reporthandling.RuleResponse instead of a set of strings as intended. Edit : Fixed using |
Signed-off-by: Karanjot Singh <drquark@duck.com>
Whenever i run tests using TestSingleRego, it generates an empty struct |
This PR is ready for review 🚀 |
@alegrey91 Ping :) |
Sorry for the late reply. We need few days to make some checks and then we can finally take a look over it. |
Great! Let me know if you run into any issues :) |
@Daniel-GrunbergerCA , what is the difference between this control and C-0089? |
Hey @slashben, i believe this control is already implemented and i might've missed it while while looking for any previously implemented controls before implementing this. However this control also includes a rule which checks for the vulnerable versions of api servers and if it is vulnerable then it prompts the user with deny message. |
Hey @0xquark |
Hi there! @Daniel-GrunbergerCA No worries! Thank you for letting me know about the control already being implemented. If I come across any other controls that I believe would be beneficial, I will definitely let you know. |
Summary
This PR adds control and rule for Kubernetes Aggregated API Server Redirection Vulnerability [CVE 2022-3172].
kubernetes/kubernetes#112513