Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand run-as-non-root template to verify runAsGroup field is nonzero. #804

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+302 −17
Open

Expand run-as-non-root template to verify runAsGroup field is nonzero. #804

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
85aa2e1
expand run-as-non-root template with runAsGroup check
ariyonaty Jul 8, 2024
197f903
Merge branch 'stackrox:main' into main
ariyonaty Jul 8, 2024
3ae972b
Merge branch 'stackrox:main' into main
ariyonaty Jul 17, 2024
a95a5dc
Merge branch 'stackrox:main' into main
ariyonaty Aug 8, 2024
6331670
Add unit tests for run-as-non-root check
ariyonaty Aug 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/generated/checks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,9 +528,9 @@ key: owner

**Description**: Indicates when containers are not set to runAsNonRoot.

**Remediation**: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.
**Remediation**: Set runAsUser and runAsGroup to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.

**Template**: [run-as-non-root](templates.md#run-as-non-root-user)
**Template**: [run-as-non-root](templates.md#run-as-non-root)
## scc-deny-privileged-container

**Enabled by default**: No
Expand Down
4 changes: 2 additions & 2 deletions docs/generated/templates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -703,11 +703,11 @@ KubeLinter supports the following templates:
type: string
```

## Run as non-root user
## Run as non-root

**Key**: `run-as-non-root`

**Description**: Flag containers set to run as a root user
**Description**: Flag containers set to run as a root user or group

**Supported Objects**: DeploymentLike

Expand Down
10 changes: 7 additions & 3 deletions e2etests/bats-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -781,11 +781,15 @@ get_value_from() {

message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
count=$(get_value_from "${lines[0]}" '.Reports | length')

[[ "${message1}" == "Deployment: container \"app\" is not set to runAsNonRoot" ]]
[[ "${message2}" == "DeploymentConfig: container \"app2\" is not set to runAsNonRoot" ]]
[[ "${count}" == "2" ]]
[[ "${message1}" == "Deployment: container \"app\" has runAsGroup set to 0" ]]
[[ "${message2}" == "Deployment: container \"app\" is not set to runAsNonRoot" ]]
[[ "${message3}" == "DeploymentConfig: container \"app2\" has runAsGroup set to 0" ]]
[[ "${message4}" == "DeploymentConfig: container \"app2\" is not set to runAsNonRoot" ]]
[[ "${count}" == "4" ]]
}

@test "scc-deny-privileged-container" {
Expand Down
2 changes: 1 addition & 1 deletion pkg/builtinchecks/yamls/run-as-non-root.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: "run-as-non-root"
description: "Indicates when containers are not set to runAsNonRoot."
remediation: >-
Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext.
Set runAsUser and runAsGroup to a non-zero number and runAsNonRoot to true in your pod or container securityContext.
Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.
scope:
objectKinds:
Expand Down
33 changes: 29 additions & 4 deletions pkg/templates/runasnonroot/template.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,21 @@
return nil
}

func effectiveRunAsGroup(podSC *v1.PodSecurityContext, containerSC *v1.SecurityContext) *int64 {
if containerSC != nil && containerSC.RunAsGroup != nil {
return containerSC.RunAsGroup

Check warning on line 39 in pkg/templates/runasnonroot/template.go

View check run for this annotation

Codecov / codecov/patch

pkg/templates/runasnonroot/template.go#L39 

Added line #L39 was not covered by tests
}
if podSC != nil {
return podSC.RunAsGroup
}
return nil

Check warning on line 44 in pkg/templates/runasnonroot/template.go

View check run for this annotation

Codecov / codecov/patch

pkg/templates/runasnonroot/template.go#L44 

Added line #L44 was not covered by tests
}

func init() {
templates.Register(check.Template{
HumanName: "Run as non-root user",
HumanName: "Run as non-root",
Key: "run-as-non-root",
Description: "Flag containers set to run as a root user",
Description: "Flag containers set to run as a root user or group",
SupportedObjectKinds: config.ObjectKindsDesc{
ObjectKinds: []string{objectkinds.DeploymentLike},
},
Expand All @@ -53,10 +63,25 @@
var results []diagnostic.Diagnostic
for _, container := range podSpec.AllContainers() {
runAsUser := effectiveRunAsUser(podSpec.SecurityContext, container.SecurityContext)
// runAsUser explicitly set to non-root. All good.
if runAsUser != nil && *runAsUser > 0 {
runAsGroup := effectiveRunAsGroup(podSpec.SecurityContext, container.SecurityContext)
// runAsUser and runAsGroup explicitly set to non-root. All good.
if (runAsUser != nil && *runAsUser > 0) && (runAsGroup != nil && *runAsGroup > 0) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about extracting a function to check for non zero int pointer?

func isNonZero(number *int64) bool {
	return number != nil && *number > 0
}

continue
}

// runAsGroup set to 0
if runAsGroup != nil && *runAsGroup == 0 {
results = append(results, diagnostic.Diagnostic{
Message: fmt.Sprintf("container %q has runAsGroup set to %d", container.Name, *runAsGroup),
})

Check warning on line 76 in pkg/templates/runasnonroot/template.go

View check run for this annotation

Codecov / codecov/patch

pkg/templates/runasnonroot/template.go#L73-L76 

Added lines #L73 - L76 were not covered by tests
}
// runAsGroup is not set.
if runAsGroup == nil {
results = append(results, diagnostic.Diagnostic{
Message: fmt.Sprintf("container %q does not have runAsGroup set", container.Name),
})

Check warning on line 82 in pkg/templates/runasnonroot/template.go

View check run for this annotation

Codecov / codecov/patch

pkg/templates/runasnonroot/template.go#L79-L82 

Added lines #L79 - L82 were not covered by tests
}

runAsNonRoot := effectiveRunAsNonRoot(podSpec.SecurityContext, container.SecurityContext)
if runAsNonRoot {
// runAsNonRoot set, but runAsUser set to 0. This will result in a runtime failure.
Expand Down
14 changes: 10 additions & 4 deletions tests/checks/run-as-non-root.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ spec:
spec:
containers:
- name: app
runAsUser: 1001
securityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
---
apiVersion: apps.openshift.io/v1
Expand All @@ -26,8 +27,9 @@ spec:
spec:
containers:
- name: app2
runAsUser: 1001
securityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
---
apiVersion: apps/v1
Expand All @@ -42,7 +44,9 @@ spec:
spec:
containers:
- name: app
runAsUser: 0
securityContext:
runAsUser: 0
runAsGroup: 0
---
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
Expand All @@ -55,4 +59,6 @@ spec:
spec:
containers:
- name: app2
runAsUser: 0
securityContext:
runAsUser: 0
runAsGroup: 0
Loading