fix(kubernetes): ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources #6459
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rutiNalenger
had a problem deploying
to
scan-security
GitHub Actions
Failure
rutiNalenger
had a problem deploying
to
scan-security
GitHub Actions
Failure
rutiNalenger
had a problem deploying
to
scan-security
GitHub Actions
Failure
rutiNalenger
had a problem deploying
to
scan-security
GitHub Actions
Failure
rutiNalenger
temporarily deployed
to
scan-security
GitHub Actions
Inactive
ChanochShayner
approved these changes
Jun 18, 2024
rutiNalenger
had a problem deploying
to
scan-security
GitHub Actions
Failure
tsmithv11
had a problem deploying
to
scan-security
GitHub Actions
Failure
tsmithv11
approved these changes
Jun 23, 2024
boring-repos bot
pushed a commit
to harryzcy/checkov
that referenced
this pull request
Jun 24, 2024
…ll containers in deployments and similar resources (bridgecrewio#6459) * Fixed issue bridgecrewio#5796 * Error Correction * Error Correction * Deleting unnecessary files * removed unnecessary files * Error Correction dogfood-tests * Error Correction --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
This change addresses issue #5796 where Checkov was incorrectly throwing CKV_K8S_31 even when the seccomp RuntimeDefault profile was added under the container securityContext. The fix ensures that the check correctly validates seccompProfile settings for each container within a Pod and not just at the Deployment level. This involves updating the logic to account for the seccompProfile setting in the securityContext of individual containers. There are no additional dependencies required for this change.
Fixes # (issue)
Checkov scan was incorrectly throwing CKV_K8S_31 even when seccomp runtimedefault was added under container securityContext. The issue was due to the check not accounting for settings at the container level properly. This fix ensures that the check correctly validates seccompProfile settings for each container within a Pod and not just at the Deployment level.
Description
CKV_K8S_31 checks if seccomp profile type is set to RuntimeDefault for containers. The violation occurs when this is not set, leading to potential security risks.
Fix
Updated the check to ensure that the seccompProfile type is set to RuntimeDefault within the securityContext of each container in the spec of Deployments, StatefulSets, DaemonSets, Jobs, and ReplicaSets. This involves iterating through each container, validating the seccompProfile type, and ensuring all containers have the correct RuntimeDefault setting. The check will pass only if all containers meet this requirement.
Checklist: