Wrong detection of AllowPrivilegeEscalation (policy AC-K8-CA-PO-H-0165) in K8s pod spec #721
Comments
|
Hello @MMerzinger , |
|
Hi @vhnguyenae Yes, if I run the above example again, it works fine: docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan version
version: v1.7.0docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan scan -i k8s -f pod.valid-spec-but-scanner-shows-violated-policy.yaml
Violation Details -
Description : Image without digest affects the integrity principle of image security
File : pod.valid-spec-but-scanner-shows-violated-policy.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Default seccomp profile not enabled will make the container to make non-essential system calls
File : pod.valid-spec-but-scanner-shows-violated-policy.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /iac/pod.valid-spec-but-scanner-shows-violated-policy.yaml
IaC Type : k8s
Scanned At : 2021-06-15 15:25:47.225520351 +0000 UTC
Policies Validated : 81
Violated Policies : 2
Low : 0
Medium : 2
High : 0Can you share your K8s templates that violate the policy? |
|
Hi @MMerzinger , |
|
Hi @vhnguyenae, I cannot reproduce the issue with your template. apiVersion: apps/v1
kind: Deployment
metadata:
name: test
labels:
app: test
chart: test
release: test
heritage: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
release: test
name: test
template:
metadata:
labels:
app: test
release: test
name: test
spec:
containers:
- name: test
image: busybox:1.28
imagePullPolicy: Always
env:
- name: TEST
value: TEST
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: falsedocker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan scan -i k8s -f deploy.yaml
Scan Summary -
File/Folder : /iac/deploy.yaml
IaC Type : k8s
Scanned At : 2021-06-16 18:53:43.3100775 +0000 UTC
Policies Validated : 0
Violated Policies : 0
Low : 0
Medium : 0
High : 0At first glance, the template appears to be invalid (you can quickly check it with https://www.kubeyaml.com). A deployment does not have the securityContext field. It only exists under pod.spec or pod.spec.containers. Furthermore, pod.spec.securityContext.allowPrivilegeEscalation does not exist, it only exists under pod.spec.containers.securityContext.allowPrivilegeEscalation. |
|
Hi @MMerzinger , |
|
Hi @vhnguyenae, unfortunately running the command with "-i helm" would not work as it is currently just a "normal" yaml spec and not a helm chart: docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan scan -i helm -f deploy.vhnguyenae.yaml
2021-06-17T13:04:47.070Z error v3/load-file.go:32 load iac file is not supported for helm
2021-06-17T13:04:47.074Z error cli/run.go:113 scan run failed{error 26 0 load iac file is not supported for helm}Please open a new issue and provide the necessary details about your helm chart and possibly reference this issue. This will help the developers of this repo to analyse your problem. You can find more details about contributions to this repo under this link. |
|
@MMerzinger @vhnguyenae apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-VERSION
namespace: my-namespace
labels:
app: myapp
version: "VERSION"
annotations:
container.apparmor.security.beta.kubernetes.io/myapp: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
version: "VERSION"
template:
metadata:
labels:
app: myapp
version: "VERSION"
spec:
securityContext:
runAsUser: 1000
containers:
- name: myapp
image: git.private.sth/security/myapp:<DEPLOYMENT_TAG>
resources:
requests:
memory: "750Mi"
cpu: "0.4"
limits:
memory: "1000Mi"
cpu: "1"
imagePullPolicy: Always
ports:
- containerPort: 8000
envFrom:
- configMapRef:
name: myapp
- secretRef:
name: myapp
readinessProbe:
httpGet:
path: /health-status/readiness
port: 8000
initialDelaySeconds: 3
periodSeconds: 5
livenessProbe:
httpGet:
path: /health-status/liveness
port: 8000
initialDelaySeconds: 3
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_ADMIN
- CHOWN
- DAC_OVERRIDE
- FSETID
- FOWNER
- MKNOD
- NET_RAW
- SETGID
- SETUID
- SETFCAP
- SETPCAP
- NET_BIND_SERVICE
- SYS_CHROOT
- KILL
- AUDIT_WRITE
imagePullSecrets:
- name: regsecretand when i run the following command: terrascan scan -i k8s -t k8s --severity high -v -f dep.ymli'm still getting the errors: |
|
Hi @vhnguyenae and @abzcoding I tried to reproduce the issue with the spec provided by @abzcoding, but I have no results. docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan version
version: v1.7.0
docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan scan -i k8s -t k8s
Violation Details -
Description : Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Default seccomp profile not enabled will make the container to make non-essential system calls
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Image without digest affects the integrity principle of image security
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /iac
IaC Type : k8s
Scanned At : 2021-06-18 07:09:01.7494341 +0000 UTC
Policies Validated : 49
Violated Policies : 4
Low : 0
Medium : 4
High : 0With a local installation: terrascan version
version: v1.7.0
terrascan scan -i k8s -t k8s
Violation Details -
Description : Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Image without digest affects the integrity principle of image security
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Default seccomp profile not enabled will make the container to make non-essential system calls
File : github-tests/dep.yaml
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /tmp
IaC Type : k8s
Scanned At : 2021-06-18 09:21:19.453195 +0000 UTC
Policies Validated : 49
Violated Policies : 4
Low : 0
Medium : 4
High : 0Do you guys use the latest policy set? A look at the commit that closed this issue shows that only the policy file was changed (and its metadata json). I tried to reproduce the issue with the latest docker image and a local installation via brew - no results. But in my case both approaches use the lastest policy set. Regards |
|
Hi @vhnguyenae and @MMerzinger MMerzinger You're right, it seems that my policy files where not up to date. just to be sure, i deleted terrascan and installed it again. and i have no problems anymore. brew uninstall terrascan
brew cleanup
rm -rf ~/.terrascan
brew install terrascan |
|
thank you guys, after the |
Hello everyone
Description
During a scan with my pod spec I was always getting the policy violation "Containers Should Not Run with AllowPrivilegeEscalation". The problem: I configured the container security context properly with
allowPrivilegeEscalation: false.The assumption is that terrascan expects
allowPrivilegeEscalation: "false"under pod.spec.securityContext, but this is an invalid pod spec.allowPrivilegeEscalation: falsehas to be under pod.spec.container.securityContext andfalseshould not be in quotes.My expectation would be that the valid pod spec with
allowPrivilegeEscalation: falseunder pod.spec.container.securityContext does not violate the policy.What I Did
Terrascan version:
docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan version version: v1.5.1Kubernetes version:
kubectl version Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.1", GitCommit:"206bcadf021e76c27513500ca24182692aabd17e", GitTreeState:"clean", BuildDate:"2020-09-09T19:10:58Z", GoVersion:"go1.15.1", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.9", GitCommit:"6c90dbd9d6bb1ae8a4c0b0778752be06873e7c55", GitTreeState:"clean", BuildDate:"2021-03-22T23:02:49Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}The following spec is valid (i.e. kubectl apply -f works), but violates the AllowPrivilegeEscalation policy (shown by the scan after the pod spec).
And the scan result:
To stop the policy violation I had to put
allowPrivilegeEscalation: "false"(note: the quotes) into pod.spec.securityContext and pod.spec.containers.securityContext. But this results in a pod spec that is invalid:The text was updated successfully, but these errors were encountered: