Kubernetes Security Check Flagging KSV020 and KSV021 when configured at pod level

[thomaschilton-viavi]

Description

Using the Pod security-context example from the Kubernetes documentation: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

With Pod definition (and updated Id values):

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 10001
    runAsGroup: 30001
    fsGroup: 20001
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

Then trivy flags the following issues:

 $ trivy conf --severity CRITICAL,HIGH,MEDIUM,LOW  .
2021-08-17T16:51:49.064+0100    INFO    Detected config files: 1

security-context.yaml (kubernetes)
==================================
Tests: 28 (SUCCESSES: 17, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (LOW: 7, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+---------------------------+------------+-----------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |               CHECK               | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+-----------------------------------+----------+------------------------------------------+
...
|                           |   KSV020   | Runs with low user ID             |          | Container 'sec-ctx-demo' of Pod          |
|                           |            |                                   |          | 'security-context-demo' should set       |
|                           |            |                                   |          | 'securityContext.runAsUser' > 10000      |
|                           |            |                                   |          | -->avd.aquasec.com/appshield/ksv020      |
+                           +------------+-----------------------------------+          +------------------------------------------+
|                           |   KSV021   | Runs with low group ID            |          | Container 'sec-ctx-demo' of Pod          |
|                           |            |                                   |          | 'security-context-demo' should set       |
|                           |            |                                   |          | 'securityContext.runAsGroup' > 10000     |
|                           |            |                                   |          | -->avd.aquasec.com/appshield/ksv021      |
+---------------------------+------------+-----------------------------------+----------+------------------------------------------+

What did you expect to happen?

Given this is a Pod and securityContext.runAsUser and securityContext.runAsGroup are defined at the Pod level - the configuration applies to all containers and should not flag an issue.

What happened instead?

KSV020 and KSV021 are being flagged as issues at the container level.

Output of run with -debug:

N/A

Output of trivy -v:

$ trivy -v
Version: 0.19.2
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-08-16 06:04:44.439971825 +0000 UTC
  NextUpdate: 2021-08-16 12:04:44.439971525 +0000 UTC
  DownloadedAt: 2021-08-16 08:47:01.8669914 +0000 UTC

Additional details (base image name, container registry info...):

N/A

[knqyf263]

Thank you for reporting. We track issues regarding policies in AppShield repository as described here. So, track the following issue, please.
aquasecurity/appshield#126

[gysel]

This bug still exists. I reported it again as #8208.