# Step 1: Evidence Details

|System|Source|Frameworks|
|---|---|---|
|kubernetes|compliancecow|-|

```
Purpose: The purpose of the control "Control Privilege Mode" is to restrict containers from running in privileged mode, thereby reducing the risk of privilege escalation and unauthorized access. This enhances the security of the Kubernetes environment by ensuring containers operate with only necessary permissions.
```
```
RecomendedEvidenceName: K8sPSPPrivilegedContainer
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# Sample data 

{
    "apiVersion": "v1",
    "kind": "Pod",
    "metadata": {
        "creationTimestamp": "2024-07-20T15:44:34Z",
        "generateName": "argocd-application-16-",
        "labels": {
            "app.kubernetes.io/name": "argocd-application-16",
            "apps.kubernetes.io/pod-index": "0",
            "controller-revision-hash": "argocd-application-16-cd9bb8974",
            "statefulset.kubernetes.io/pod-name": "argocd-application-16"
        },
        "name": "argocd-application-16",
        "namespace": "argocd",
        "ownerReferences": [
            {
                "apiVersion": "apps/v1",
                "blockOwnerDeletion": true,
                "controller": true,
                "kind": "StatefulSet",
                "name": "argocd-application-16",
                "uid": "60efe84b-fdf8-4187-bfe3-f2e741f0574c"
            }
        ],
        "resourceVersion": "278101848",
        "uid": "b1fef190-7f2d-4a80-85ac-c15bbb1006d9"
    },
    "spec": {
        "affinity": {
            "podAntiAffinity": {
                "preferredDuringSchedulingIgnoredDuringExecution": [
                    {
                        "podAffinityTerm": {
                            "labelSelector": {
                                "matchLabels": {
                                    "app.kubernetes.io/name": "argocd-application-16"
                                }
                            },
                            "topologyKey": "kubernetes.io/hostname"
                        },
                        "weight": 100
                    },
                    {
                        "podAffinityTerm": {
                            "labelSelector": {
                                "matchLabels": {
                                    "app.kubernetes.io/part-of": "argocd"
                                }
                            },
                            "topologyKey": "kubernetes.io/hostname"
                        },
                        "weight": 5
                    }
                ]
            }
        },
        "containers": [
            {
                "args": [
                    "/usr/local/bin/argocd-application-16"
                ],
                "env": [
                    {
                        "name": "ARGOCD_CONTROLLER_REPLICAS",
                        "value": "1"
                    },
                    {
                        "name": "ARGOCD_RECONCILIATION_TIMEOUT",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "timeout.reconciliation",
                                "name": "argocd-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_HARD_RECONCILIATION_TIMEOUT",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "timeout.hard.reconciliation",
                                "name": "argocd-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "repo.server",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.repo.server.timeout.seconds",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.status.processors",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.operation.processors",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.log.format",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.log.level",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.metrics.cache.expiration",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.self.heal.timeout.seconds",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.repo.server.plaintext",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.repo.server.strict.tls",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.resource.health.persist",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APP_STATE_CACHE_EXPIRATION",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.app.state.cache.expiration",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "REDIS_SERVER",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "redis.server",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "REDIS_COMPRESSION",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "redis.compression",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "REDISDB",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "redis.db",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_DEFAULT_CACHE_EXPIRATION",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.default.cache.expiration",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "otlp.address",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_NAMESPACES",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "application.namespaces",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_CONTROLLER_SHARDING_ALGORITHM",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.sharding.algorithm",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    },
                    {
                        "name": "ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "key": "controller.kubectl.parallelism.limit",
                                "name": "argocd-cmd-params-cm",
                                "optional": true
                            }
                        }
                    }
                ],
                "image": "quay.io/argoproj/argocd:v2.9.2",
                "imagePullPolicy": "Always",
                "name": "argocd-application-16",
                "ports": [
                    {
                        "containerPort": 8082,
                        "protocol": "TCP"
                    }
                ],
                "readinessProbe": {
                    "failureThreshold": 3,
                    "httpGet": {
                        "path": "/healthz",
                        "port": 8082,
                        "scheme": "HTTP"
                    },
                    "initialDelaySeconds": 5,
                    "periodSeconds": 10,
                    "successThreshold": 1,
                    "timeoutSeconds": 1
                },
                "resources": {},
                "securityContext": {
                    "allowPrivilegeEscalation": false,
                    "capabilities": {
                        "drop": [
                            "ALL"
                        ]
                    },
                    "readOnlyRootFilesystem": true,
                    "runAsNonRoot": true,
                    "seccompProfile": {
                        "type": "RuntimeDefault"
                    }
                },
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "volumeMounts": [
                    {
                        "mountPath": "/app/config/controller/tls",
                        "name": "argocd-repos-servers-tls"
                    },
                    {
                        "mountPath": "/home/argocd",
                        "name": "argocd-home"
                    },
                    {
                        "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
                        "name": "kube-api-access-rz2k7",
                        "readOnly": true
                    }
                ],
                "workingDir": "/home/argocd"
            }
        ],
        "dnsPolicy": "ClusterFirst",
        "enableServiceLinks": true,
        "hostname": "argocd-application-16",
        "nodeName": "aks-nodepool1-29681506-vmss000007",
        "preemptionPolicy": "PreemptLowerPriority",
        "priority": 0,
        "restartPolicy": "Always",
        "schedulerName": "default-scheduler",
        "securityContext": {},
        "serviceAccount": "argocd-application-16",
        "serviceAccountName": "argocd-application-16",
        "subdomain": "argocd-application-16",
        "terminationGracePeriodSeconds": 30,
        "tolerations": [
            {
                "effect": "NoExecute",
                "key": "node.kubernetes.io/not-ready",
                "operator": "Exists",
                "tolerationSeconds": 300
            },
            {
                "effect": "NoExecute",
                "key": "node.kubernetes.io/unreachable",
                "operator": "Exists",
                "tolerationSeconds": 300
            }
        ],
        "volumes": [
            {
                "emptyDir": {},
                "name": "argocd-home"
            },
            {
                "name": "argocd-repos-servers-tls",
                "secret": {
                    "defaultMode": 420,
                    "items": [
                        {
                            "key": "tls.crt",
                            "path": "tls.crt"
                        },
                        {
                            "key": "tls.key",
                            "path": "tls.key"
                        },
                        {
                            "key": "ca.crt",
                            "path": "ca.crt"
                        }
                    ],
                    "optional": true,
                    "secretName": "argocd-repos-servers-tls"
                }
            },
            {
                "name": "kube-api-access-rz2k7",
                "projected": {
                    "defaultMode": 420,
                    "sources": [
                        {
                            "serviceAccountToken": {
                                "expirationSeconds": 3607,
                                "path": "token"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca.crt",
                                        "path": "ca.crt"
                                    }
                                ],
                                "name": "kube-root-ca.crt"
                            }
                        },
                        {
                            "downwardAPI": {
                                "items": [
                                    {
                                        "fieldRef": {
                                            "apiVersion": "v1",
                                            "fieldPath": "metadata.namespace"
                                        },
                                        "path": "namespace"
                                    }
                                ]
                            }
                        }
                    ]
                }
            }
        ]
    },
    "status": {
        "conditions": [
            {
                "lastProbeTime": null,
                "lastTransitionTime": "2024-07-20T15:44:34Z",
                "status": "True",
                "type": "Initialized"
            },
            {
                "lastProbeTime": null,
                "lastTransitionTime": "2024-07-20T15:46:24Z",
                "status": "True",
                "type": "Ready"
            },
            {
                "lastProbeTime": null,
                "lastTransitionTime": "2024-07-20T15:46:24Z",
                "status": "True",
                "type": "ContainersReady"
            },
            {
                "lastProbeTime": null,
                "lastTransitionTime": "2024-07-20T15:44:34Z",
                "status": "True",
                "type": "PodScheduled"
            }
        ],
        "containerStatuses": [
            {
                "containerID": "containerd://u7eb54439cdd32892dfeb65288y56t400c4c0c0fe61cf707ac9e88a4d53dsdafdc4",
                "image": "quay.io/argoproj/argocd:v2.9.2",
                "imageID": "quay.io/argoproj/argocd@sha256:9976d347f3fa4c56a0129d1c0a0f5ed1e75668f0499f1ed7e917a405fd909dc",
                "lastState": {},
                "name": "argocd-application-16",
                "ready": true,
                "restartCount": 0,
                "started": true,
                "state": {
                    "running": {
                        "startedAt": "2024-07-20T15:46:10Z"
                    }
                }
            }
        ],
        "hostIP": "10.4.44.444",
        "phase": "Running",
        "podIP": "10.5.55.555",
        "podIPs": [
            {
                "ip": "10.5.55.555"
            }
        ],
        "qosClass": "BestEffort",
        "startTime": "2024-07-20T15:44:34Z"
    }
}

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System": "kubernetes",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "Pod/argocd-application-16",
    "ResourceName": "argocd-application-16",
    "ResourceType": "Pod",
    "ResourceTags": "",

    # Data
    "Namespace": "argocd",
    "ClusterType": "Private cluster",
    "ClusterName": "cr-dev-eks-cr-4",
    "RuleName": "k8spspprivileged",
    
    # Compliance details
    "ValidationStatusCode": "PM_PR",
    "ValidationStatusNotes": "Privileged mode present",
    "ComplianceStatus": "COMPLIANT",
    "ComplianceStatusReason": "Controlling privileged mode reduces security risks.",
    "RemediationNotes": "",
    "EvaluatedTime": "2024-07-26T07:03:22.937338131Z",

    # User editable data
    "PrNumber": "",
    "PrStatus": "",
    "CommitID": "",
    "TicketCreatedDate": "",
    "TicketClosedDate": "",
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
    
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceTags|Namespace|ClusterType|ClusterName|RuleName|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|RemediationNotes|EvaluatedTime|PrNumber|PrStatus|CommitID|TicketCreatedDate|TicketClosedDate|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|kubernetes|compliancecow|Pod/argocd-application-16-0|argocd-application-16-0|Pod||argocd|Private cluster|cr-dev-eks-cr-4|k8spspprivileged|PM_PR|Privileged mode present|COMPLIANT|Controlling privileged mode reduces security risks.||2024-07-25T15:10:04.415670058Z||||||||

# Step 4: Describe the Compliance Taxonomy


|ComplianceStatus|ComplianceStatusReason|ValidationStatusCode|ValidationStatusNotes|
|---|---|---|---|
|COMPLIANT|Controlling privileged mode reduces security risks.|PM_PR|Privileged mode present|
|NON_COMPLIANT|This record is non compliant because privileged mode is not controlled, which increases security risks.|PM_NP|Privileged mode not present|

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
#COMPLIANT - 100%
#NON_COMPLIANT - 0%<=status<100%
#NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

1. NotifyBySlackChannel
2. OpaGitHubRemediation

# Step 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | EvaluateTypeOpaRule    |
| **PreRequisiteRuleNames**  |           |
| **ExtendedSchemaRuleNames**|            |
| **ApplicationClassName**   | kubernetes               |