From 41071a59489089bc87729c5666034758ade20e24 Mon Sep 17 00:00:00 2001 From: Mancubus <16170560+mancubus77@users.noreply.github.com> Date: Thu, 2 Nov 2023 22:33:58 +1100 Subject: [PATCH] Add OpenShift SecurityContextConstraints object linting (#650) Co-authored-by: Cereberus --- docs/generated/checks.md | 15 ++++ docs/generated/templates.md | 18 ++++ e2etests/bats-tests.sh | 15 ++++ .../yamls/scc-deny-privileged-container.yaml | 10 +++ pkg/extract/scc_spec.go | 14 +++ pkg/lintcontext/mocks/scc.go | 23 +++++ pkg/lintcontext/parse_yaml.go | 3 +- pkg/objectkinds/securitycontext.go | 26 ++++++ pkg/templates/all/all.go | 1 + .../sccdenypriv/internal/params/gen-params.go | 69 +++++++++++++++ .../sccdenypriv/internal/params/params.go | 8 ++ pkg/templates/sccdenypriv/template.go | 42 +++++++++ pkg/templates/sccdenypriv/template_test.go | 70 +++++++++++++++ .../checks/scc-deny-privileged-container.yml | 87 +++++++++++++++++++ 14 files changed, 400 insertions(+), 1 deletion(-) create mode 100644 pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml create mode 100644 pkg/extract/scc_spec.go create mode 100644 pkg/lintcontext/mocks/scc.go create mode 100644 pkg/objectkinds/securitycontext.go create mode 100644 pkg/templates/sccdenypriv/internal/params/gen-params.go create mode 100644 pkg/templates/sccdenypriv/internal/params/params.go create mode 100644 pkg/templates/sccdenypriv/template.go create mode 100644 pkg/templates/sccdenypriv/template_test.go create mode 100644 tests/checks/scc-deny-privileged-container.yml diff --git a/docs/generated/checks.md b/docs/generated/checks.md index 690cb8f25..8b26682f6 100644 --- a/docs/generated/checks.md +++ b/docs/generated/checks.md @@ -513,6 +513,21 @@ key: owner **Remediation**: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details. **Template**: [run-as-non-root](templates.md#run-as-non-root-user) +## scc-deny-privileged-container + +**Enabled by default**: No + +**Description**: Indicates when allowPrivilegedContainer SecurityContextConstraints set to true + +**Remediation**: SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead. Refer to https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#scc-settings_configuring-internal-oauth for details. + +**Template**: [scc-deny-privileged-container](templates.md#securitycontextconstraints-allowprivilegedcontainer) + +**Parameters**: + +```yaml +AllowPrivilegedContainer: true +``` ## sensitive-host-mounts **Enabled by default**: Yes diff --git a/docs/generated/templates.md b/docs/generated/templates.md index 57c67be8b..569e0c059 100644 --- a/docs/generated/templates.md +++ b/docs/generated/templates.md @@ -694,6 +694,24 @@ KubeLinter supports the following templates: **Supported Objects**: DeploymentLike +## SecurityContextConstraints allowPrivilegedContainer + +**Key**: `scc-deny-privileged-container` + +**Description**: Flag SCC with allowPrivilegedContainer set to true + +**Supported Objects**: SecurityContextConstraints + + +**Parameters**: + +```yaml +- description: allowPrivilegedContainer value + name: allowPrivilegedContainer + required: false + type: boolean +``` + ## Service Account **Key**: `service-account` diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh index 8371d6ab1..c9b03eba3 100755 --- a/e2etests/bats-tests.sh +++ b/e2etests/bats-tests.sh @@ -739,6 +739,21 @@ get_value_from() { [[ "${count}" == "2" ]] } +@test "scc-deny-privileged-container" { + tmp="tests/checks/scc-deny-privileged-container.yml" + cmd="${KUBE_LINTER_BIN} lint --include scc-deny-privileged-container --do-not-auto-add-defaults --format json ${tmp}" + run ${cmd} + + print_info "${status}" "${output}" "${cmd}" "${tmp}" + [ "$status" -eq 1 ] + + message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') + count=$(get_value_from "${lines[0]}" '.Reports | length') + + [[ "${message1}" == "SecurityContextConstraints: SCC has allowPrivilegedContainer set to true" ]] + [[ "${count}" == "1" ]] +} + @test "sensitive-host-mounts" { tmp="tests/checks/sensitive-host-mounts.yml" cmd="${KUBE_LINTER_BIN} lint --include sensitive-host-mounts --do-not-auto-add-defaults --format json ${tmp}" diff --git a/pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml b/pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml new file mode 100644 index 000000000..bb6474ac9 --- /dev/null +++ b/pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml @@ -0,0 +1,10 @@ +name: "scc-deny-privileged-container" +description: "Indicates when allowPrivilegedContainer SecurityContextConstraints set to true" +remediation: >- + SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead. Refer to https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#scc-settings_configuring-internal-oauth for details. +scope: + objectKinds: + - SecurityContextConstraints +template: "scc-deny-privileged-container" +params: + AllowPrivilegedContainer: true \ No newline at end of file diff --git a/pkg/extract/scc_spec.go b/pkg/extract/scc_spec.go new file mode 100644 index 000000000..f84182596 --- /dev/null +++ b/pkg/extract/scc_spec.go @@ -0,0 +1,14 @@ +package extract + +import ( + ocpSecV1 "github.com/openshift/api/security/v1" + "golang.stackrox.io/kube-linter/pkg/k8sutil" +) + +// SCCallowPrivilegedContainer extracts allowPrivilegedContainer from the given object, if available. +func SCCallowPrivilegedContainer(obj k8sutil.Object) (bool, bool) { + if scc, ok := obj.(*ocpSecV1.SecurityContextConstraints); ok { + return scc.AllowPrivilegedContainer, true + } + return false, false +} diff --git a/pkg/lintcontext/mocks/scc.go b/pkg/lintcontext/mocks/scc.go new file mode 100644 index 000000000..4039c81ee --- /dev/null +++ b/pkg/lintcontext/mocks/scc.go @@ -0,0 +1,23 @@ +package mocks + +import ( + "testing" + + ocpSecV1 "github.com/openshift/api/security/v1" + "github.com/stretchr/testify/require" + "golang.stackrox.io/kube-linter/pkg/objectkinds" + metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// AddMockSecurityContextConstraints adds a mock SecurityContextConstraints to LintContext +func (l *MockLintContext) AddMockSecurityContextConstraints(t *testing.T, name string, allowFlag bool) { + require.NotEmpty(t, name) + l.objects[name] = &ocpSecV1.SecurityContextConstraints{ + TypeMeta: metaV1.TypeMeta{ + Kind: objectkinds.SecurityContextConstraints, + APIVersion: objectkinds.GetSCCAPIVersion(), + }, + ObjectMeta: metaV1.ObjectMeta{Name: name}, + AllowPrivilegedContainer: allowFlag, + } +} diff --git a/pkg/lintcontext/parse_yaml.go b/pkg/lintcontext/parse_yaml.go index 6d3d139e6..2cf8a78df 100644 --- a/pkg/lintcontext/parse_yaml.go +++ b/pkg/lintcontext/parse_yaml.go @@ -12,6 +12,7 @@ import ( y "github.com/ghodss/yaml" ocsAppsV1 "github.com/openshift/api/apps/v1" + ocpSecV1 "github.com/openshift/api/security/v1" "github.com/pkg/errors" k8sMonitoring "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" "golang.stackrox.io/kube-linter/pkg/k8sutil" @@ -42,7 +43,7 @@ func init() { clientScheme := scheme.Scheme // Add OpenShift and Autoscaling schema - schemeBuilder := runtime.NewSchemeBuilder(ocsAppsV1.AddToScheme, autoscalingV2Beta1.AddToScheme, k8sMonitoring.AddToScheme) + schemeBuilder := runtime.NewSchemeBuilder(ocsAppsV1.AddToScheme, autoscalingV2Beta1.AddToScheme, k8sMonitoring.AddToScheme, ocpSecV1.AddToScheme) if err := schemeBuilder.AddToScheme(clientScheme); err != nil { panic(fmt.Sprintf("Can not add OpenShift schema %v", err)) } diff --git a/pkg/objectkinds/securitycontext.go b/pkg/objectkinds/securitycontext.go new file mode 100644 index 000000000..4e64a31e3 --- /dev/null +++ b/pkg/objectkinds/securitycontext.go @@ -0,0 +1,26 @@ +package objectkinds + +import ( + ocpSecV1 "github.com/openshift/api/security/v1" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const ( + // Service represents Kubernetes Service objects. + SecurityContextConstraints = "SecurityContextConstraints" +) + +var ( + sccGVK = ocpSecV1.SchemeGroupVersion.WithKind("SecurityContextConstraints") +) + +func init() { + RegisterObjectKind(SecurityContextConstraints, MatcherFunc(func(gvk schema.GroupVersionKind) bool { + return gvk == sccGVK + })) +} + +// GetSCCAPIVersion returns SCC's apiversion +func GetSCCAPIVersion() string { + return sccGVK.GroupVersion().String() +} diff --git a/pkg/templates/all/all.go b/pkg/templates/all/all.go index 1834dc4e5..e29ed9639 100644 --- a/pkg/templates/all/all.go +++ b/pkg/templates/all/all.go @@ -46,6 +46,7 @@ import ( _ "golang.stackrox.io/kube-linter/pkg/templates/requiredannotation" _ "golang.stackrox.io/kube-linter/pkg/templates/requiredlabel" _ "golang.stackrox.io/kube-linter/pkg/templates/runasnonroot" + _ "golang.stackrox.io/kube-linter/pkg/templates/sccdenypriv" _ "golang.stackrox.io/kube-linter/pkg/templates/serviceaccount" _ "golang.stackrox.io/kube-linter/pkg/templates/servicetype" _ "golang.stackrox.io/kube-linter/pkg/templates/sysctl" diff --git a/pkg/templates/sccdenypriv/internal/params/gen-params.go b/pkg/templates/sccdenypriv/internal/params/gen-params.go new file mode 100644 index 000000000..e5151293a --- /dev/null +++ b/pkg/templates/sccdenypriv/internal/params/gen-params.go @@ -0,0 +1,69 @@ +// Code generated by kube-linter template codegen. DO NOT EDIT. +// +build !templatecodegen + +package params + +import ( + "fmt" + "strings" + + "github.com/pkg/errors" + "golang.stackrox.io/kube-linter/pkg/check" + "golang.stackrox.io/kube-linter/pkg/templates/util" +) + +var ( + // Use some imports in case they don't get used otherwise. + _ = util.MustParseParameterDesc + _ = fmt.Sprintf + + allowPrivilegedContainerParamDesc = util.MustParseParameterDesc(`{ + "Name": "allowPrivilegedContainer", + "Type": "boolean", + "Description": "allowPrivilegedContainer value", + "Examples": null, + "Enum": null, + "SubParameters": null, + "ArrayElemType": "", + "Required": false, + "NoRegex": false, + "NotNegatable": false, + "XXXStructFieldName": "AllowPrivilegedContainer", + "XXXIsPointer": false +} +`) + + ParamDescs = []check.ParameterDesc{ + allowPrivilegedContainerParamDesc, + } +) + +func (p *Params) Validate() error { + var validationErrors []string + if len(validationErrors) > 0 { + return errors.Errorf("invalid parameters: %s", strings.Join(validationErrors, ", ")) + } + return nil +} + +// ParseAndValidate instantiates a Params object out of the passed map[string]interface{}, +// validates it, and returns it. +// The return type is interface{} to satisfy the type in the Template struct. +func ParseAndValidate(m map[string]interface{}) (interface{}, error) { + var p Params + if err := util.DecodeMapStructure(m, &p); err != nil { + return nil, err + } + if err := p.Validate(); err != nil { + return nil, err + } + return p, nil +} + +// WrapInstantiateFunc is a convenience wrapper that wraps an untyped instantiate function +// into a typed one. +func WrapInstantiateFunc(f func(p Params) (check.Func, error)) func (interface{}) (check.Func, error) { + return func(paramsInt interface{}) (check.Func, error) { + return f(paramsInt.(Params)) + } +} diff --git a/pkg/templates/sccdenypriv/internal/params/params.go b/pkg/templates/sccdenypriv/internal/params/params.go new file mode 100644 index 000000000..3abd8f01b --- /dev/null +++ b/pkg/templates/sccdenypriv/internal/params/params.go @@ -0,0 +1,8 @@ +package params + +// Params represents the params accepted by this template. +type Params struct { + + // allowPrivilegedContainer value + AllowPrivilegedContainer bool +} diff --git a/pkg/templates/sccdenypriv/template.go b/pkg/templates/sccdenypriv/template.go new file mode 100644 index 000000000..dc120faf6 --- /dev/null +++ b/pkg/templates/sccdenypriv/template.go @@ -0,0 +1,42 @@ +package sccdenypriv + +import ( + "fmt" + + "golang.stackrox.io/kube-linter/pkg/check" + "golang.stackrox.io/kube-linter/pkg/config" + "golang.stackrox.io/kube-linter/pkg/diagnostic" + "golang.stackrox.io/kube-linter/pkg/extract" + "golang.stackrox.io/kube-linter/pkg/lintcontext" + "golang.stackrox.io/kube-linter/pkg/objectkinds" + "golang.stackrox.io/kube-linter/pkg/templates" + "golang.stackrox.io/kube-linter/pkg/templates/sccdenypriv/internal/params" +) + +const ( + templateKey = "scc-deny-privileged-container" +) + +func init() { + templates.Register(check.Template{ + HumanName: "SecurityContextConstraints allowPrivilegedContainer", + Key: templateKey, + Description: "Flag SCC with allowPrivilegedContainer set to true", + SupportedObjectKinds: config.ObjectKindsDesc{ + ObjectKinds: []string{objectkinds.SecurityContextConstraints}, + }, + Parameters: params.ParamDescs, + ParseAndValidateParams: params.ParseAndValidate, + Instantiate: params.WrapInstantiateFunc(func(p params.Params) (check.Func, error) { + return func(_ lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic { + state, found := extract.SCCallowPrivilegedContainer(object.K8sObject) + if found && state == p.AllowPrivilegedContainer { + return []diagnostic.Diagnostic{ + {Message: fmt.Sprintf("SCC has allowPrivilegedContainer set to %v", state)}, + } + } + return nil + }, nil + }), + }) +} diff --git a/pkg/templates/sccdenypriv/template_test.go b/pkg/templates/sccdenypriv/template_test.go new file mode 100644 index 000000000..e12d1a3f4 --- /dev/null +++ b/pkg/templates/sccdenypriv/template_test.go @@ -0,0 +1,70 @@ +package sccdenypriv + +import ( + "testing" + + "github.com/stretchr/testify/suite" + "golang.stackrox.io/kube-linter/pkg/diagnostic" + "golang.stackrox.io/kube-linter/pkg/lintcontext/mocks" + "golang.stackrox.io/kube-linter/pkg/templates" + "golang.stackrox.io/kube-linter/pkg/templates/sccdenypriv/internal/params" +) + +func TestSCCPriv(t *testing.T) { + suite.Run(t, new(SCCPrivTestSuite)) +} + +type SCCPrivTestSuite struct { + templates.TemplateTestSuite + + ctx *mocks.MockLintContext +} + +func (s *SCCPrivTestSuite) SetupTest() { + s.Init(templateKey) + s.ctx = mocks.NewMockContext() +} + +func (s *SCCPrivTestSuite) addSCCWithPriv(name string, allowFlag bool) { + s.ctx.AddMockSecurityContextConstraints(s.T(), name, allowFlag) +} + +func (s *SCCPrivTestSuite) TestPrivFalse() { + const acceptableScc = "scc-priv-false" + + s.addSCCWithPriv(acceptableScc, false) + + s.Validate(s.ctx, []templates.TestCase{ + { + Param: params.Params{ + AllowPrivilegedContainer: true, + }, + Diagnostics: map[string][]diagnostic.Diagnostic{ + acceptableScc: nil, + }, + ExpectInstantiationError: false, + }, + }) +} + +func (s *SCCPrivTestSuite) TestPrivTrue() { + const ( + unacceptableScc = "scc-priv-true" + ) + + s.addSCCWithPriv(unacceptableScc, true) + + s.Validate(s.ctx, []templates.TestCase{ + { + Param: params.Params{ + AllowPrivilegedContainer: true, + }, + Diagnostics: map[string][]diagnostic.Diagnostic{ + unacceptableScc: { + {Message: "SCC has allowPrivilegedContainer set to true"}, + }, + }, + ExpectInstantiationError: false, + }, + }) +} diff --git a/tests/checks/scc-deny-privileged-container.yml b/tests/checks/scc-deny-privileged-container.yml new file mode 100644 index 000000000..b5069b2d5 --- /dev/null +++ b/tests/checks/scc-deny-privileged-container.yml @@ -0,0 +1,87 @@ +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: true +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + labels: + owner: owner + app: app1 + name: app1 +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: RunAsAny + uid: 1000 +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:ns:chart-jenkins-agent +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- persistentVolumeClaim +- projected +- secret +--- +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + labels: + owner: owner + app: app1 + name: dont-fire +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: RunAsAny + uid: 1000 +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:ns:chart-jenkins-agent +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- persistentVolumeClaim +- projected +- secret