From b45cf437226c4cc0658e9423e807eeb19eb4b2bf Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 09:10:36 +0200 Subject: [PATCH 01/16] Introduce securityContext for operator The `nonroot` user assignment was removed from the dockerfile as this was already set via the `:nonroot` tag. This user is already set using its uid. This allows the `runAsNonRoot` securityContext Flag to work correctly. --- operator/Dockerfile | 1 - operator/templates/manager/manager.yaml | 2 ++ operator/values.yaml | 11 ++++++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/operator/Dockerfile b/operator/Dockerfile index 0257cc0d..44c1379e 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -28,6 +28,5 @@ ENV TELEMETRY_ENABLED "true" WORKDIR / COPY --from=builder /workspace/manager . -USER nonroot:nonroot ENTRYPOINT ["/manager"] diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml index 9bc7c197..75b7a795 100644 --- a/operator/templates/manager/manager.yaml +++ b/operator/templates/manager/manager.yaml @@ -77,4 +77,6 @@ spec: value: {{ .Values.lurcher.image.pullPolicy }} resources: {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} terminationGracePeriodSeconds: 10 diff --git a/operator/values.yaml b/operator/values.yaml index e6ab5b82..487acea0 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -12,7 +12,16 @@ image: # @default -- defaults to the charts version tag: null # image.pullPolicy -- Image pull policy - pullPolicy: Always + pullPolicy: IfNotPresent + +securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - all lurcher: image: From 1c597ed047a31594a44f7e36870ffbc7dde11d21 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 09:29:08 +0200 Subject: [PATCH 02/16] Add securityContext to lurcher --- lurcher/Dockerfile | 1 - .../controllers/execution/scans/scan_reconciler.go | 12 ++++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/lurcher/Dockerfile b/lurcher/Dockerfile index 38d1d11b..c5b5cf1e 100644 --- a/lurcher/Dockerfile +++ b/lurcher/Dockerfile @@ -20,6 +20,5 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher FROM gcr.io/distroless/static:nonroot WORKDIR / COPY --from=builder /workspace/lurcher . -USER nonroot:nonroot ENTRYPOINT ["/lurcher"] diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index 71bddf9a..78bb6bf1 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -221,6 +221,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw) } + falsePointer := false + truePointer := true + lurcherSidecar := &corev1.Container{ Name: "lurcher", Image: lurcherImage, @@ -260,6 +263,15 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e ReadOnly: true, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: &truePointer, + AllowPrivilegeEscalation: &falsePointer, + ReadOnlyRootFilesystem: &truePointer, + Privileged: &falsePointer, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + }, } job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar) From 760a745723ec55d438dab4b557ac0670dc0bf73b Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 09:46:29 +0200 Subject: [PATCH 03/16] Add securityContext to parsers and hooks --- hook-sdk/nodejs/Dockerfile | 4 ++-- .../controllers/execution/scans/hook_reconciler.go | 11 +++++++++++ .../controllers/execution/scans/parse_reconciler.go | 11 +++++++++++ parser-sdk/nodejs/Dockerfile | 4 ++-- 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/hook-sdk/nodejs/Dockerfile b/hook-sdk/nodejs/Dockerfile index bce6e837..25e6f10b 100644 --- a/hook-sdk/nodejs/Dockerfile +++ b/hook-sdk/nodejs/Dockerfile @@ -5,10 +5,10 @@ RUN npm ci --production FROM node:12-alpine ARG NODE_ENV -RUN addgroup -S app && adduser app -S -G app +RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app WORKDIR /home/app/hook-wrapper/ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js -USER app +USER 1001 ENV NODE_ENV ${NODE_ENV:-production} ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] \ No newline at end of file diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index 899a9eb7..388848df 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -362,6 +362,8 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, labels["experimental.securecodebox.io/hook-name"] = hook.Name var backOffLimit int32 = 3 + truePointer := true + falsePointer := false job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -399,6 +401,15 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, corev1.ResourceMemory: resource.MustParse("200Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: &truePointer, + AllowPrivilegeEscalation: &falsePointer, + ReadOnlyRootFilesystem: &truePointer, + Privileged: &falsePointer, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + }, }, }, }, diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go index 7323c234..2daf5a05 100644 --- a/operator/controllers/execution/scans/parse_reconciler.go +++ b/operator/controllers/execution/scans/parse_reconciler.go @@ -80,6 +80,8 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { labels["experimental.securecodebox.io/job-type"] = "parser" automountServiceAccountToken := true var backOffLimit int32 = 3 + truePointer := true + falsePointer := false job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -133,6 +135,15 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { corev1.ResourceMemory: resource.MustParse("200Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: &truePointer, + AllowPrivilegeEscalation: &falsePointer, + ReadOnlyRootFilesystem: &truePointer, + Privileged: &falsePointer, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + }, }, }, AutomountServiceAccountToken: &automountServiceAccountToken, diff --git a/parser-sdk/nodejs/Dockerfile b/parser-sdk/nodejs/Dockerfile index 23aa0dd6..62d9a767 100644 --- a/parser-sdk/nodejs/Dockerfile +++ b/parser-sdk/nodejs/Dockerfile @@ -5,10 +5,10 @@ RUN npm ci --production FROM node:12-alpine ARG NODE_ENV -RUN addgroup -S app && adduser app -S -G app +RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app WORKDIR /home/app/parser-wrapper/ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js -USER app +USER 1001 ENV NODE_ENV ${NODE_ENV:-production} ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] \ No newline at end of file From 545cb3ecbbd0a5411ac9e1cef277357d5d9d6d7b Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 09:48:51 +0200 Subject: [PATCH 04/16] Change hook imagePullPolicy to always This is more online with the parser and allows them to run in cluster with extremly high security requirements / or hard enforced multi tenancy. See: https://kubernetes.io/docs/concepts/containers/images/#use-cases --- operator/controllers/execution/scans/hook_reconciler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index 388848df..0a95c43a 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -390,7 +390,7 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, Image: hook.Spec.Image, Args: cliArgs, Env: append(hook.Spec.Env, standardEnvVars...), - ImagePullPolicy: "IfNotPresent", + ImagePullPolicy: "Always", Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse("200m"), From fe0ab8a5c40ad7f6ca71c4cc2108d9e027b4f407 Mon Sep 17 00:00:00 2001 From: J12934 Date: Fri, 2 Oct 2020 07:49:22 +0000 Subject: [PATCH 05/16] Updating Helm Docs --- operator/README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/operator/README.md b/operator/README.md index b9e46fbe..f2a556a3 100644 --- a/operator/README.md +++ b/operator/README.md @@ -21,7 +21,7 @@ helm install securecodebox-operator secureCodeBox/operator | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"docker.io/scbexperimental/operator"` | The operator image repository | | image.tag | string | defaults to the charts version | Parser image tag | | lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -38,5 +38,10 @@ helm install securecodebox-operator secureCodeBox/operator | s3.port | string | `nil` | | | s3.secretAttributeNames.accesskey | string | `"accesskey"` | | | s3.secretAttributeNames.secretkey | string | `"secretkey"` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | | +| securityContext.capabilities.drop[0] | string | `"all"` | | +| securityContext.privileged | bool | `false` | | +| securityContext.readOnlyRootFilesystem | bool | `true` | | +| securityContext.runAsNonRoot | bool | `true` | | | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry | From e2829c8fd42259aaefe9c9776b624838b669e459 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 10:15:18 +0200 Subject: [PATCH 06/16] Ensure hook image is using the image for the current commit --- .github/workflows/ci.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a60b652f..9e40ace6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -404,7 +404,9 @@ jobs: run: | helm -n integration-tests install test-scan ./scanners/test-scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" helm -n integration-tests install http-webhook ./demo-apps/http-webhook - helm -n integration-tests install ro-hook ./hooks/generic-webhook/ --set="webhookUrl=http://http-webhook/hallo-welt" + helm -n integration-tests install ro-hook ./hooks/generic-webhook/ \ + --set="webhookUrl=http://http-webhook/hallo-welt" \ + --set="image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color read-only-hook helm -n integration-tests uninstall test-scan http-webhook ro-hook From 00bcc1fdc91ca146f8a6a3fe8b17f4a8dfa009fb Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 10:19:27 +0200 Subject: [PATCH 07/16] Autoformat values.yaml --- scanners/amass/values.yaml | 16 ++++++++-------- scanners/kube-hunter/values.yaml | 14 +++++++------- scanners/ncrack/values.yaml | 14 +++++++------- scanners/nikto/values.yaml | 14 +++++++------- scanners/nmap/values.yaml | 14 +++++++------- scanners/ssh_scan/values.yaml | 14 +++++++------- scanners/sslyze/values.yaml | 14 +++++++------- scanners/test-scan/values.yaml | 14 +++++++------- scanners/trivy/values.yaml | 14 +++++++------- scanners/wpscan/values.yaml | 14 +++++++------- scanners/zap/values.yaml | 14 +++++++------- 11 files changed, 78 insertions(+), 78 deletions(-) diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index 124c97b3..e56e61c9 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] @@ -29,4 +29,4 @@ scannerJob: extraVolumeMounts: [] # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) - extraContainers: [] \ No newline at end of file + extraContainers: [] diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index ab4c6bb4..8af7fe2d 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/ncrack/values.yaml b/scanners/ncrack/values.yaml index 461a8045..86d0fc85 100644 --- a/scanners/ncrack/values.yaml +++ b/scanners/ncrack/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/nikto/values.yaml b/scanners/nikto/values.yaml index 996b8a2e..3941cce7 100644 --- a/scanners/nikto/values.yaml +++ b/scanners/nikto/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/nmap/values.yaml b/scanners/nmap/values.yaml index 25f80067..903ee75c 100644 --- a/scanners/nmap/values.yaml +++ b/scanners/nmap/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/ssh_scan/values.yaml b/scanners/ssh_scan/values.yaml index 61a043e7..596b960e 100644 --- a/scanners/ssh_scan/values.yaml +++ b/scanners/ssh_scan/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/sslyze/values.yaml b/scanners/sslyze/values.yaml index e7b01fcc..754e28a8 100644 --- a/scanners/sslyze/values.yaml +++ b/scanners/sslyze/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/test-scan/values.yaml b/scanners/test-scan/values.yaml index df7449ac..e7014edf 100644 --- a/scanners/test-scan/values.yaml +++ b/scanners/test-scan/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/trivy/values.yaml b/scanners/trivy/values.yaml index 5724d870..8592c6b9 100644 --- a/scanners/trivy/values.yaml +++ b/scanners/trivy/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/wpscan/values.yaml b/scanners/wpscan/values.yaml index ebb7331b..779ca049 100644 --- a/scanners/wpscan/values.yaml +++ b/scanners/wpscan/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] diff --git a/scanners/zap/values.yaml b/scanners/zap/values.yaml index 3463cc8e..61e6399b 100644 --- a/scanners/zap/values.yaml +++ b/scanners/zap/values.yaml @@ -11,13 +11,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] From 4067331bac06bffff78f11f1405c8148d524854a Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 13:02:13 +0200 Subject: [PATCH 08/16] Add commentes to operator securityContext --- operator/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/operator/values.yaml b/operator/values.yaml index 487acea0..86224abb 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -15,12 +15,17 @@ image: pullPolicy: IfNotPresent securityContext: + # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user runAsNonRoot: true + # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system readOnlyRootFilesystem: true + # securityContext.allowPrivilegeEscalation -- Ensures that users privilidges canout be escalated allowPrivilegeEscalation: false + # securityContext.privileged -- Ensures that the operator container is not run in privilidged mode privileged: false capabilities: drop: + # securityContext.capabilities.drop[0] -- This drops all linux privilidges from the operator container. They are not required - all lurcher: From 4b7a17248f05ab01abf022c04b499cdd15b8d697 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 13:02:40 +0200 Subject: [PATCH 09/16] Add securityContext to nmap --- scanners/nmap/README.md.gotmpl | 42 +++++++++++++++++++++ scanners/nmap/scanner/Dockerfile | 4 +- scanners/nmap/templates/nmap-scan-type.yaml | 6 ++- scanners/nmap/values.yaml | 14 +++++++ 4 files changed, 63 insertions(+), 3 deletions(-) diff --git a/scanners/nmap/README.md.gotmpl b/scanners/nmap/README.md.gotmpl index ec84389b..88fe895e 100644 --- a/scanners/nmap/README.md.gotmpl +++ b/scanners/nmap/README.md.gotmpl @@ -42,6 +42,48 @@ Some useful example parameters listed below: - `-script` xx: Replace xx with the script name. Start the scan with the given script. - `--script` xx: Replace xx with a coma-separated list of scripts. Start the scan with the given scripts. +## Operating System Scans + +:::caution +Warning! This is currently not tested and might require additional testing to work 😕 +::: + +If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user) + +You can deployed the ScanType with the config like this: + +```bash +cat < Date: Fri, 2 Oct 2020 11:03:04 +0000 Subject: [PATCH 10/16] Updating Helm Docs --- operator/README.md | 10 ++++----- scanners/nmap/README.md | 47 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 5 deletions(-) diff --git a/operator/README.md b/operator/README.md index f2a556a3..d4ce767a 100644 --- a/operator/README.md +++ b/operator/README.md @@ -38,10 +38,10 @@ helm install securecodebox-operator secureCodeBox/operator | s3.port | string | `nil` | | | s3.secretAttributeNames.accesskey | string | `"accesskey"` | | | s3.secretAttributeNames.secretkey | string | `"secretkey"` | | -| securityContext.allowPrivilegeEscalation | bool | `false` | | -| securityContext.capabilities.drop[0] | string | `"all"` | | -| securityContext.privileged | bool | `false` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | -| securityContext.runAsNonRoot | bool | `true` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated | +| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the operator container. They are not required | +| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privilidged mode | +| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | +| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry | diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index 532ed985..d647c5be 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -42,6 +42,48 @@ Some useful example parameters listed below: - `-script` xx: Replace xx with the script name. Start the scan with the given script. - `--script` xx: Replace xx with a coma-separated list of scripts. Start the scan with the given scripts. +## Operating System Scans + +:::caution +Warning! This is currently not tested and might require additional testing to work 😕 +::: + +If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user) + +You can deployed the ScanType with the config like this: + +```bash +cat < Date: Fri, 2 Oct 2020 16:26:39 +0200 Subject: [PATCH 11/16] Update amass version --- scanners/amass/Chart.yaml | 2 +- scanners/amass/README.md | 24 ++++++++++++------------ scanners/amass/README.md.gotmpl | 2 +- scanners/amass/helm2.Chart.yaml | 2 +- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/scanners/amass/Chart.yaml b/scanners/amass/Chart.yaml index b2cbc9a2..a8df7f9f 100644 --- a/scanners/amass/Chart.yaml +++ b/scanners/amass/Chart.yaml @@ -5,7 +5,7 @@ description: A Helm chart for the Amass security scanner that integrates with th type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest -appVersion: 3.10.3 +appVersion: 3.10.4 kubeVersion: ">=v1.11.0" keywords: diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 741ec647..5a1d1d8a 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -4,7 +4,7 @@ path: "scanners/amass" category: "scanner" type: "Network" state: "released" -appVersion: "3.10.3" +appVersion: "3.10.4" usecase: "Subdomain Enumeration Scanner" --- @@ -38,17 +38,17 @@ Special command line options: ## Chart Configuration -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| parserImage.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | +| Key | Type | Default | Description | +| ---------------------------------- | ------ | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| parserImage.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | +| parserImage.tag | string | defaults to the charts version | Parser image tag | +| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [owasp_amass_project]: https://owasp.org/www-project-amass/ [amass github]: https://github.com/OWASP/Amass -[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md \ No newline at end of file +[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md diff --git a/scanners/amass/README.md.gotmpl b/scanners/amass/README.md.gotmpl index 957aa9c5..025de4ca 100644 --- a/scanners/amass/README.md.gotmpl +++ b/scanners/amass/README.md.gotmpl @@ -4,7 +4,7 @@ path: "scanners/amass" category: "scanner" type: "Network" state: "released" -appVersion: "3.10.3" +appVersion: "3.10.4" usecase: "Subdomain Enumeration Scanner" --- diff --git a/scanners/amass/helm2.Chart.yaml b/scanners/amass/helm2.Chart.yaml index b1cc68da..0ccd0c02 100644 --- a/scanners/amass/helm2.Chart.yaml +++ b/scanners/amass/helm2.Chart.yaml @@ -5,7 +5,7 @@ description: A Helm chart for the Amass security scanner that integrates with th type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest -appVersion: 3.10.3 +appVersion: 3.10.4 kubeVersion: ">=v1.11.0" keywords: From a592989fcfcd947f3bc697c6d1ccc16cac3c6568 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 2 Oct 2020 17:23:42 +0200 Subject: [PATCH 12/16] Add empty securityContext to all scanners These will be extended later to best represent the needs of the individual scanners. Also added `env`, `extraVolumes`, `extraVolumeMounts`, `extraContainers` config values missing in scanner templates. --- scanners/amass/README.md | 22 ++++---- scanners/amass/templates/amass-scan-type.yaml | 17 ++++--- scanners/amass/values.yaml | 13 ++++- scanners/kube-hunter/README.md | 1 + .../templates/kubehunter-scan-type.yaml | 11 ++++ scanners/kube-hunter/values.yaml | 3 ++ scanners/ncrack/README.md | 1 + .../ncrack/templates/ncrack-scan-type.yaml | 7 +++ scanners/ncrack/values.yaml | 3 ++ scanners/nikto/README.md | 1 + scanners/nikto/templates/nikto-scan-type.yaml | 11 ++++ scanners/nikto/values.yaml | 3 ++ scanners/nmap/README.md | 1 + scanners/nmap/templates/nmap-scan-type.yaml | 11 +++- scanners/nmap/values.yaml | 1 + scanners/ssh_scan/README.md | 1 + .../templates/ssh-scan-scan-type.yaml | 11 ++++ scanners/ssh_scan/values.yaml | 3 ++ scanners/sslyze/README.md | 1 + .../sslyze/templates/sslyze-scan-type.yaml | 11 ++++ scanners/sslyze/values.yaml | 3 ++ scanners/test-scan/README.md | 1 + .../templates/test-scan-scan-type.yaml | 11 ++++ scanners/test-scan/values.yaml | 3 ++ scanners/trivy/README.md | 1 + scanners/trivy/templates/trivy-scan-type.yaml | 11 ++++ scanners/trivy/values.yaml | 3 ++ scanners/wpscan/README.md | 1 + .../wpscan/templates/wpscan-scan-type.yaml | 13 ++++- scanners/wpscan/values.yaml | 3 ++ scanners/zap/README.md | 5 +- scanners/zap/templates/zap-scan-type.yaml | 51 ++++++++++++------- scanners/zap/values.yaml | 11 +++- 33 files changed, 205 insertions(+), 45 deletions(-) diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 5a1d1d8a..1012abbb 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -38,17 +38,17 @@ Special command line options: ## Chart Configuration -| Key | Type | Default | Description | -| ---------------------------------- | ------ | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| parserImage.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| parserImage.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | +| parserImage.tag | string | defaults to the charts version | Parser image tag | +| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [owasp_amass_project]: https://owasp.org/www-project-amass/ [amass github]: https://github.com/OWASP/Amass -[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md +[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md \ No newline at end of file diff --git a/scanners/amass/templates/amass-scan-type.yaml b/scanners/amass/templates/amass-scan-type.yaml index a52b7cb7..208f89ff 100644 --- a/scanners/amass/templates/amass-scan-type.yaml +++ b/scanners/amass/templates/amass-scan-type.yaml @@ -24,16 +24,19 @@ spec: - "enum" - "-json" - "/home/securecodebox/amass-results.jsonl" - volumeMounts: - - name: "amass-config" - mountPath: "/amass/output/config.ini" - subPath: "config.ini" resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: - - name: "amass-config" - configMap: - name: "amass-config" + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 12 }} --- apiVersion: v1 kind: ConfigMap diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index c4c19fc1..aaf00c6d 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -24,10 +24,19 @@ scannerJob: env: [] # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumes: [] + extraVolumes: + - name: "amass-config" + configMap: + name: "amass-config" # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumeMounts: [] + extraVolumeMounts: + - name: "amass-config" + mountPath: "/amass/output/config.ini" + subPath: "config.ini" # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index e9912a4a..6c7e047f 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -43,6 +43,7 @@ The following security scan configuration example are based on the [kube-hunter | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [kube-hunter Website]: https://kube-hunter.aquasec.com/ diff --git a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml index e88dc3c9..e5dd4e27 100644 --- a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml +++ b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml @@ -24,3 +24,14 @@ spec: - 'json' resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index 1cca15ed..d94a8923 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -36,3 +36,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index c2deaee4..07384f88 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -151,6 +151,7 @@ SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | --- diff --git a/scanners/ncrack/templates/ncrack-scan-type.yaml b/scanners/ncrack/templates/ncrack-scan-type.yaml index c968760b..8687bdf0 100644 --- a/scanners/ncrack/templates/ncrack-scan-type.yaml +++ b/scanners/ncrack/templates/ncrack-scan-type.yaml @@ -21,8 +21,15 @@ spec: command: ["ncrack", "-oX", "/home/securecodebox/ncrack-results.xml"] resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} volumeMounts: {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/ncrack/values.yaml b/scanners/ncrack/values.yaml index a28e3237..61d0dab2 100644 --- a/scanners/ncrack/values.yaml +++ b/scanners/ncrack/values.yaml @@ -36,3 +36,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/nikto/README.md b/scanners/nikto/README.md index fb2e83e6..26f00934 100644 --- a/scanners/nikto/README.md +++ b/scanners/nikto/README.md @@ -60,6 +60,7 @@ Nikto also has a comprehensive list of [command line options documented](https:/ | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [cirt.net]: https://cirt.net/ diff --git a/scanners/nikto/templates/nikto-scan-type.yaml b/scanners/nikto/templates/nikto-scan-type.yaml index 4a91da27..33a50010 100644 --- a/scanners/nikto/templates/nikto-scan-type.yaml +++ b/scanners/nikto/templates/nikto-scan-type.yaml @@ -26,3 +26,14 @@ spec: - '/home/securecodebox/nikto-results.json' resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/nikto/values.yaml b/scanners/nikto/values.yaml index fdf1ab47..3f583804 100644 --- a/scanners/nikto/values.yaml +++ b/scanners/nikto/values.yaml @@ -31,3 +31,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index 046be3d9..79003712 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -97,6 +97,7 @@ spec: | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated | | scannerJob.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the container. | | scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privilidged mode | diff --git a/scanners/nmap/templates/nmap-scan-type.yaml b/scanners/nmap/templates/nmap-scan-type.yaml index 6ba2916d..28291378 100644 --- a/scanners/nmap/templates/nmap-scan-type.yaml +++ b/scanners/nmap/templates/nmap-scan-type.yaml @@ -19,9 +19,16 @@ spec: - name: nmap image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" command: ["nmap", "-oX", "/home/securecodebox/nmap-results.xml"] - env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} securityContext: {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/nmap/values.yaml b/scanners/nmap/values.yaml index 945d5bb7..cd1e9e45 100644 --- a/scanners/nmap/values.yaml +++ b/scanners/nmap/values.yaml @@ -36,6 +36,7 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: # scannerJob.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user runAsNonRoot: true diff --git a/scanners/ssh_scan/README.md b/scanners/ssh_scan/README.md index 7ae8f815..0e31edf1 100644 --- a/scanners/ssh_scan/README.md +++ b/scanners/ssh_scan/README.md @@ -73,6 +73,7 @@ Examples: | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [ssh_scan GitHub]: https://github.com/mozilla/ssh_scan diff --git a/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml b/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml index f06cf0c6..f245aaf9 100644 --- a/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml +++ b/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml @@ -24,3 +24,14 @@ spec: - "/home/securecodebox/ssh-scan-results.json" resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/ssh_scan/values.yaml b/scanners/ssh_scan/values.yaml index 7ff20f3d..a4f718ad 100644 --- a/scanners/ssh_scan/values.yaml +++ b/scanners/ssh_scan/values.yaml @@ -31,3 +31,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/sslyze/README.md b/scanners/sslyze/README.md index 03e51d14..b50b7d17 100644 --- a/scanners/sslyze/README.md +++ b/scanners/sslyze/README.md @@ -140,6 +140,7 @@ Options: | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [SSLyze GitHub]: https://github.com/nabla-c0d3/sslyze diff --git a/scanners/sslyze/templates/sslyze-scan-type.yaml b/scanners/sslyze/templates/sslyze-scan-type.yaml index 4536159c..5f7c0dc8 100644 --- a/scanners/sslyze/templates/sslyze-scan-type.yaml +++ b/scanners/sslyze/templates/sslyze-scan-type.yaml @@ -23,3 +23,14 @@ spec: - '/home/securecodebox/sslyze-results.json' resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} \ No newline at end of file diff --git a/scanners/sslyze/values.yaml b/scanners/sslyze/values.yaml index 326f502f..a129571a 100644 --- a/scanners/sslyze/values.yaml +++ b/scanners/sslyze/values.yaml @@ -31,3 +31,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/test-scan/README.md b/scanners/test-scan/README.md index a53b7153..f881f7d4 100644 --- a/scanners/test-scan/README.md +++ b/scanners/test-scan/README.md @@ -27,4 +27,5 @@ A Helm chart to test the secureCodeBox operator | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | diff --git a/scanners/test-scan/templates/test-scan-scan-type.yaml b/scanners/test-scan/templates/test-scan-scan-type.yaml index 6d2a999b..de72d0b8 100644 --- a/scanners/test-scan/templates/test-scan-scan-type.yaml +++ b/scanners/test-scan/templates/test-scan-scan-type.yaml @@ -21,3 +21,14 @@ spec: command: ["touch", "/home/securecodebox/hello-world.txt"] resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} \ No newline at end of file diff --git a/scanners/test-scan/values.yaml b/scanners/test-scan/values.yaml index 683bef4e..b4710ffc 100644 --- a/scanners/test-scan/values.yaml +++ b/scanners/test-scan/values.yaml @@ -36,3 +36,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md index 56d660ff..847220f1 100644 --- a/scanners/trivy/README.md +++ b/scanners/trivy/README.md @@ -45,4 +45,5 @@ The following security scan configuration example are based on the [Trivy Docume | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | diff --git a/scanners/trivy/templates/trivy-scan-type.yaml b/scanners/trivy/templates/trivy-scan-type.yaml index 854ec819..ab04f2ef 100644 --- a/scanners/trivy/templates/trivy-scan-type.yaml +++ b/scanners/trivy/templates/trivy-scan-type.yaml @@ -28,3 +28,14 @@ spec: - "/home/securecodebox/trivy-results.json" resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} \ No newline at end of file diff --git a/scanners/trivy/values.yaml b/scanners/trivy/values.yaml index b03eaf48..3a2bb352 100644 --- a/scanners/trivy/values.yaml +++ b/scanners/trivy/values.yaml @@ -31,3 +31,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/wpscan/README.md b/scanners/wpscan/README.md index f45a7033..ad4a4dc0 100644 --- a/scanners/wpscan/README.md +++ b/scanners/wpscan/README.md @@ -79,6 +79,7 @@ Incompatible choices (only one of each group/s can be used): | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [wpscan.io]: https://wpscan.io/ diff --git a/scanners/wpscan/templates/wpscan-scan-type.yaml b/scanners/wpscan/templates/wpscan-scan-type.yaml index 530f9d03..3f1c1cc8 100644 --- a/scanners/wpscan/templates/wpscan-scan-type.yaml +++ b/scanners/wpscan/templates/wpscan-scan-type.yaml @@ -25,4 +25,15 @@ spec: - "-f" - json resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} \ No newline at end of file + {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} \ No newline at end of file diff --git a/scanners/wpscan/values.yaml b/scanners/wpscan/values.yaml index 7fb79368..444e8f78 100644 --- a/scanners/wpscan/values.yaml +++ b/scanners/wpscan/values.yaml @@ -31,3 +31,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/zap/README.md b/scanners/zap/README.md index 40075120..7d5f5436 100644 --- a/scanners/zap/README.md +++ b/scanners/zap/README.md @@ -67,7 +67,8 @@ Options: | parserImage.tag | string | defaults to the charts version | Parser image tag | | scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | diff --git a/scanners/zap/templates/zap-scan-type.yaml b/scanners/zap/templates/zap-scan-type.yaml index b04a1210..47e94194 100644 --- a/scanners/zap/templates/zap-scan-type.yaml +++ b/scanners/zap/templates/zap-scan-type.yaml @@ -16,7 +16,7 @@ spec: restartPolicy: Never containers: - name: zap-baseline - image: owasp/zap2docker-weekly:w2020-09-15 + image: owasp/zap2docker-weekly:w2020-09-29 command: - "zap-baseline.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -25,14 +25,19 @@ spec: # ZAP Baseline Script doesn't allow absolute paths... # Hacky workaround: specify a relative path to the `/zap/wrk` base dir. - "../../home/securecodebox/zap-results.json" - volumeMounts: - - mountPath: /zap/wrk - name: zap-workdir resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: - - name: zap-workdir - emptyDir: {} + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} --- apiVersion: "execution.experimental.securecodebox.io/v1" kind: ScanType @@ -52,7 +57,7 @@ spec: restartPolicy: Never containers: - name: zap-api-scan - image: owasp/zap2docker-weekly:w2020-09-15 + image: owasp/zap2docker-weekly:w2020-09-29 command: - "zap-api-scan.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -61,14 +66,19 @@ spec: # ZAP Baseline Script doesn't allow absolute paths... # Hacky workaround: specify a relative path to the `/zap/wrk` base dir. - "../../home/securecodebox/zap-results.json" - volumeMounts: - - mountPath: /zap/wrk - name: zap-workdir resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: - - name: zap-workdir - emptyDir: {} + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} --- apiVersion: "execution.experimental.securecodebox.io/v1" kind: ScanType @@ -88,7 +98,7 @@ spec: restartPolicy: Never containers: - name: zap-full-scan - image: owasp/zap2docker-weekly:w2020-09-15 + image: owasp/zap2docker-weekly:w2020-09-29 command: - "zap-full-scan.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -97,11 +107,16 @@ spec: # ZAP Baseline Script doesn't allow absolute paths... # Hacky workaround: specify a relative path to the `/zap/wrk` base dir. - "../../home/securecodebox/zap-results.json" - volumeMounts: - - mountPath: /zap/wrk - name: zap-workdir resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: - - name: zap-workdir - emptyDir: {} + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/zap/values.yaml b/scanners/zap/values.yaml index b4d40d30..e18c5483 100644 --- a/scanners/zap/values.yaml +++ b/scanners/zap/values.yaml @@ -24,10 +24,17 @@ scannerJob: env: [] # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumes: [] + extraVolumes: + - name: zap-workdir + emptyDir: {} # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumeMounts: [] + extraVolumeMounts: + - mountPath: /zap/wrk + name: zap-workdir # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} From 669b011b5f497eac0375fa9acc80dfbcea2589ab Mon Sep 17 00:00:00 2001 From: J12934 Date: Fri, 2 Oct 2020 15:24:13 +0000 Subject: [PATCH 13/16] Updating Helm Docs --- scanners/amass/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 1012abbb..61730430 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -47,6 +47,7 @@ Special command line options: | scannerJob.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [owasp_amass_project]: https://owasp.org/www-project-amass/ From 8210699f7a4798e845fb8ca8edfa4065ee9add5d Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 5 Oct 2020 13:11:53 +0200 Subject: [PATCH 14/16] Apply code review comments --- hook-sdk/nodejs/Dockerfile | 2 +- operator/README.md | 8 ++++---- operator/values.yaml | 8 ++++---- parser-sdk/nodejs/Dockerfile | 2 +- scanners/nmap/README.md | 12 ++++++------ scanners/nmap/README.md.gotmpl | 8 ++++---- scanners/nmap/scanner/Dockerfile | 2 +- scanners/nmap/values.yaml | 6 +++--- scanners/sslyze/templates/sslyze-scan-type.yaml | 2 +- .../test-scan/templates/test-scan-scan-type.yaml | 2 +- scanners/trivy/templates/trivy-scan-type.yaml | 2 +- scanners/wpscan/templates/wpscan-scan-type.yaml | 2 +- 12 files changed, 28 insertions(+), 28 deletions(-) diff --git a/hook-sdk/nodejs/Dockerfile b/hook-sdk/nodejs/Dockerfile index 25e6f10b..11963747 100644 --- a/hook-sdk/nodejs/Dockerfile +++ b/hook-sdk/nodejs/Dockerfile @@ -11,4 +11,4 @@ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js USER 1001 ENV NODE_ENV ${NODE_ENV:-production} -ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] \ No newline at end of file +ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] diff --git a/operator/README.md b/operator/README.md index 5e04679e..d8d6a31e 100644 --- a/operator/README.md +++ b/operator/README.md @@ -21,7 +21,7 @@ helm install securecodebox-operator secureCodeBox/operator | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| image.pullPolicy | string | `"Always"` | Image pull policy | | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository | | image.tag | string | defaults to the charts version | Parser image tag | | lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -38,9 +38,9 @@ helm install securecodebox-operator secureCodeBox/operator | s3.port | string | `nil` | | | s3.secretAttributeNames.accesskey | string | `"accesskey"` | | | s3.secretAttributeNames.secretkey | string | `"secretkey"` | | -| securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated | -| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the operator container. They are not required | -| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privilidged mode | +| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required | +| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode | | securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry | diff --git a/operator/values.yaml b/operator/values.yaml index 513bfb9c..d9da2498 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -12,20 +12,20 @@ image: # @default -- defaults to the charts version tag: null # image.pullPolicy -- Image pull policy - pullPolicy: IfNotPresent + pullPolicy: Always securityContext: # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user runAsNonRoot: true # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system readOnlyRootFilesystem: true - # securityContext.allowPrivilegeEscalation -- Ensures that users privilidges canout be escalated + # securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated allowPrivilegeEscalation: false - # securityContext.privileged -- Ensures that the operator container is not run in privilidged mode + # securityContext.privileged -- Ensures that the operator container is not run in privileged mode privileged: false capabilities: drop: - # securityContext.capabilities.drop[0] -- This drops all linux privilidges from the operator container. They are not required + # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required - all lurcher: diff --git a/parser-sdk/nodejs/Dockerfile b/parser-sdk/nodejs/Dockerfile index 62d9a767..7382046e 100644 --- a/parser-sdk/nodejs/Dockerfile +++ b/parser-sdk/nodejs/Dockerfile @@ -11,4 +11,4 @@ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js USER 1001 ENV NODE_ENV ${NODE_ENV:-production} -ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] \ No newline at end of file +ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index 79003712..a9a8c560 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -50,10 +50,10 @@ Warning! This is currently not tested and might require additional testing to wo If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user) -You can deployed the ScanType with the config like this: +You can deploy the ScanType with the config like this: ```bash -cat < Date: Mon, 5 Oct 2020 11:12:20 +0000 Subject: [PATCH 15/16] Updating Helm Docs --- scanners/nmap/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index a9a8c560..3c169d66 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -103,4 +103,4 @@ spec: | scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scannerJob.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scannerJob.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | \ No newline at end of file +| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | From 1823a6047318c37d594a098009139bfde27de1ba Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 5 Oct 2020 13:14:37 +0200 Subject: [PATCH 16/16] Change default lurcher pullPolicy to Always --- operator/README.md | 2 +- operator/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/operator/README.md b/operator/README.md index d8d6a31e..970ff3b5 100644 --- a/operator/README.md +++ b/operator/README.md @@ -24,7 +24,7 @@ helm install securecodebox-operator secureCodeBox/operator | image.pullPolicy | string | `"Always"` | Image pull policy | | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository | | image.tag | string | defaults to the charts version | Parser image tag | -| lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| lurcher.image.pullPolicy | string | `"Always"` | Image pull policy | | lurcher.image.repository | string | `"docker.io/securecodebox/lurcher"` | The operator image repository | | lurcher.image.tag | string | defaults to the charts version | Parser image tag | | minio.defaultBucket.enabled | bool | `true` | | diff --git a/operator/values.yaml b/operator/values.yaml index d9da2498..d1bb333d 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -36,7 +36,7 @@ lurcher: # @default -- defaults to the charts version tag: null # lurcher.image.pullPolicy -- Image pull policy - pullPolicy: IfNotPresent + pullPolicy: Always minio: # minio.enabled Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.