-
Notifications
You must be signed in to change notification settings - Fork 175
/
2_can_elevate_its_own_privileges.rego
53 lines (48 loc) · 1.86 KB
/
2_can_elevate_its_own_privileges.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# METADATA
# title: "Can elevate its own privileges"
# description: "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node."
# scope: package
# schemas:
# - input: schema["kubernetes"]
# related_resources:
# - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# custom:
# id: KSV001
# avd_id: AVD-KSV-0001
# severity: MEDIUM
# short_code: no-self-privesc
# recommended_action: "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'."
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV001
import data.lib.kubernetes
import data.lib.utils
default checkAllowPrivilegeEscalation = false
# getNoPrivilegeEscalationContainers returns the names of all containers which have
# securityContext.allowPrivilegeEscalation set to false.
getNoPrivilegeEscalationContainers[container] {
allContainers := kubernetes.containers[_]
allContainers.securityContext.allowPrivilegeEscalation == false
container := allContainers.name
}
# getPrivilegeEscalationContainers returns the names of all containers which have
# securityContext.allowPrivilegeEscalation set to true or not set.
getPrivilegeEscalationContainers[container] {
container := kubernetes.containers[_]
not getNoPrivilegeEscalationContainers[container.name]
}
deny[res] {
output := getPrivilegeEscalationContainers[_]
msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should set 'securityContext.allowPrivilegeEscalation' to false", [output.name, kubernetes.kind, kubernetes.name]))
res := result.new(msg, output)
}