Wrong detection of MemoryRequestsCheck,CpuRequestsCheck,noReadinessProbe and nolivenessProbe policy in k8s Job spec

[Rchanger]

• terrascan version: v1.6.0
• Operating System: Mac OS

Description

I was scanning my k8s yaml file of kind Job.

What I Did

docker run --rm -it  --volume /Users/suvarna/testfolder/:/data accurics/terrascan:latest  scan -d /data/ -i k8s -o json
{
  "results": {
    "violations": [
      {
        "rule_name": "containersAsHighUID",
        "description": "Containers Should Run as a High UID to Avoid Host Conflict",
        "rule_id": "AC-K8-NS-PO-M-0182",
        "severity": "MEDIUM",
        "category": "Infrastructure Security",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "imageWithLatestTag",
        "description": "No tag or container image with :Latest tag makes difficult to rollback and track",
        "rule_id": "AC-K8-OE-PO-L-0134",
        "severity": "LOW",
        "category": "Security Best Practices",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "imageWithoutDigest",
        "description": "Image without digest affects the integrity principle of image security",
        "rule_id": "AC-K8-NS-PO-M-0133",
        "severity": "MEDIUM",
        "category": "Infrastructure Security",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "MemoryRequestsCheck",
        "description": "Memory Request Not Set in config file.",
        "rule_id": "AC-K8-OE-PK-M-0157",
        "severity": "Medium",
        "category": "Security Best Practices",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "readOnlyFileSystem",
        "description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions",
        "rule_id": "AC-K8-IA-PO-M-0140",
        "severity": "MEDIUM",
        "category": "Identity and Access Management",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "nolivenessProbe",
        "description": "No liveness probe will ensure there is no recovery in case of unexpected errors",
        "rule_id": "AC-K8-OE-PO-L-0129",
        "severity": "LOW",
        "category": "Security Best Practices",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "runAsNonRootCheck",
        "description": "Minimize Admission of Root Containers",
        "rule_id": "AC-K8-IA-PO-H-0168",
        "severity": "HIGH",
        "category": "Identity and Access Management",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "privilegeEscalationCheck",
        "description": "Containers Should Not Run with AllowPrivilegeEscalation",
        "rule_id": "AC-K8-CA-PO-H-0165",
        "severity": "HIGH",
        "category": "Compliance Validation",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "CpuRequestsCheck",
        "description": "CPU Request Not Set in config file.",
        "rule_id": "AC-K8-OE-PK-M-0155",
        "severity": "Medium",
        "category": "Security Best Practices",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      },
      {
        "rule_name": "noReadinessProbe",
        "description": "No readiness probe will affect automatic recovery in case of unexpected errors",
        "rule_id": "AC-K8-OE-PO-L-0130",
        "severity": "LOW",
        "category": "Security Best Practices",
        "resource_name": "terrascan-hook-",
        "resource_type": "kubernetes_job",
        "file": "presynchook-webhook.yml",
        "line": 1
      }
    ],
    "skipped_violations": null,
    "scan_summary": {
      "file/folder": "/data",
      "iac_type": "k8s",
      "scanned_at": "2021-05-11 05:44:14.039964695 +0000 UTC",
      "policies_validated": 607,
      "violated_policies": 10,
      "low": 3,
      "medium": 5,
      "high": 2
    }
  }
}

My yaml file already have setting for liveness, readiness probe and resources request still I am getting violations for them.

My yaml file for refernce

apiVersion: batch/v1
kind: Job
metadata:
 generateName: terrascan-hook-
 namespace: <YOU APPLICATION NAMESPACE>
 annotations:
   argocd.argoproj.io/hook: PreSync            
spec:
 ttlSecondsAfterFinished: 3600
 template:
   spec:
     securityContext:
       seccompProfile:
         type: RuntimeDefault
     containers:
     - name: terrascan-argocd
       image: <CUSTOME PRESYNC HOOK IMAGE>
       resources:
         requests:
           cpu: "1"
           memory: "256Mi"
         limits:
           cpu: "1"
           memory: "256Mi"
       env:
         - name: SERVICE_NAME
           value: <Name of service exposed for terrascan controller pod>
         - name: REMOTE_URL
           value: <YOUR PRIVATE REPOSITORY PATH>
         - name: IAC_TYPE
           value: <IAC TYPE YOU WANT SCAN> # If not provided default value is 'k8s'
         - name: IAC_VERSION
           value: <VERSION OF IAC TYPE SELECTED> # If not provided default value is 'v1' 
         - name: CLOUD_PROVIDER
           value: <TYPE OF CLOUD PROVIDER> #If not provided default value is 'all'
         - name: REMOTE_TYPE
           value: <TYPE OF REMOTE> #If not provided default value is 'git'       
       args:
       - sh
       - /home/terrascan/bin/terrascan-remote-scan.sh
       securityContext:
         seccompProfile:
           type: RuntimeDefault
         allowPrivilegeEscalation: false
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 101
       livenessProbe:
         exec:
           command:
           - cat
           - /home/terrascan/bin/terrascan-remote-scan.sh
         periodSeconds: 10
         initialDelaySeconds: 10
       readinessProbe:
         exec:
           command:
           - cat
           - /home/terrascan/bin/terrascan-remote-scan.sh
         periodSeconds: 10
         initialDelaySeconds: 10
     restartPolicy: Never
 backoffLimit: 1

[Rchanger]

After checking the code found that there is an issue with the policy JSON files.

AC-K8-OE-PK-M-0157.json and AC-K8-OE-PK-M-0155.json files have the wrong param field value, it should be requests instead of resources

 {
  "name": "MemoryRequestsCheck",
  "file": "securityContextCheck.rego",
  "template_args": {
    "allowed": "true",
    "arg1": "requests",
    "arg2": "memory",
    "name": "MemoryRequestsCheck",
    "not_allowed": "false",
    "param": "resources",
    "param1": "resources",
    "prefix": "",
    "suffix": "",
    "value": "false"
  },
  "severity": "Medium",
  "description": "Memory Request Not Set in config file.",
  "reference_id": "AC-K8-OE-PK-M-0157",
  "category": "Security Best Practices",
  "version": 1
}

{
  "name": "CpuRequestsCheck",
  "file": "securityContextCheck.rego",
  "template_args": {
    "allowed": "true",
    "arg1": "requests",
    "arg2": "cpu",
    "name": "CpuRequestsCheck",
    "not_allowed": "false",
    "param": "resources",
    "param1": "resources",
    "prefix": "",
    "suffix": "",
    "value": "false"
  },
  "severity": "Medium",
  "description": "CPU Request Not Set in config file.",
  "reference_id": "AC-K8-OE-PK-M-0155",
  "category": "Security Best Practices",
  "version": 1
}

After setting the param field with the correct value(requests) it did not give me MemoryRequestsCheck and CpuRequestsCheck violations.

Not sure with the reason for liveness and readiness probe violations yet

[Rchanger]

In the case of liveness and readiness probe, there is an issue with policy JSON and rego file as well

  {
  "name": "nolivenessProbe",
  "file": "probeCheck.rego",
  "template_args": {
    "argument": "livenessProbe",
    "argumentTF": "liveness_probe",
    "name": "nolivenessProbe",
    "prefix": "",
    "suffix": ""
  },
  "severity": "LOW",
  "description": "No liveness probe will ensure there is no recovery in case of unexpected errors",
  "reference_id": "AC-K8-OE-PO-L-0129",
  "category": "Security Best Practices",
  "version": 1
}

Here both the fields argument and argumentTF are verified against the pod YAML file, and there is nothing as liveness_probe or readiness_probe in k8s. The valid fields are livenessProbe and readinessProbe