nuclei-templates/cloud/kubernetes/deployments/k8s-root-container-admissio...

id: k8s-root-container-admission

info:
  name: Minimize the admission of root containers
  author: princechaddha
  severity: critical
  description: Checks if any Kubernetes Deployments admit containers that run as root, which can pose a significant security risk.
  impact: |
    Allowing containers to run as root can lead to privilege escalation and unauthorized access to host resources, significantly compromising the security of the cluster.
  remediation: |
    Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations.
  reference:
    - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
  tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let deployment of template.items) {
    set("deployment", deployment)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get deployments --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'

javascript:
  - code: |
        deployment = JSON.parse(template.deployment);
        if (deployment.spec.template.spec.containers.some(container => container.securityContext && container.securityContext.runAsUser === null)) {
          let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' permits containers to run as root.`);
          Export(result);
        }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022100f14d422cbd57235a92be20140747bc11a4f73ab68bae70297a73e83b90da0e2b02200b47eb6fcdc4533cd22fe335ae241fd43a20d85df6f259b12d6b909cdd59dfbe:922c64590222798bb761d5b6d8e72950
k8s templates 🚀 2024-05-26 04:52:23 +00:00			`id: k8s-root-container-admission`

			`info:`
			`name: Minimize the admission of root containers`
			`author: princechaddha`
			`severity: critical`
			`description: Checks if any Kubernetes Deployments admit containers that run as root, which can pose a significant security risk.`
			`impact: \|`
			`Allowing containers to run as root can lead to privilege escalation and unauthorized access to host resources, significantly compromising the security of the cluster.`
			`remediation: \|`
			`Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations.`
			`reference:`
			`- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups`
added kubernetes cluster security profile 2024-06-18 12:04:45 +00:00			`tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security`
k8s templates 🚀 2024-05-26 04:52:23 +00:00
			`flow: \|`
			`code(1);`
			`for (let deployment of template.items) {`
			`set("deployment", deployment)`
			`javascript(1);`
			`}`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: kubectl get deployments --all-namespaces --output=json`
			`extractors:`
			`- type: json`
			`name: items`
			`internal: true`
			`json:`
			`- '.items[]'`

			`javascript:`
			`- code: \|`
			`deployment = JSON.parse(template.deployment);`
			`if (deployment.spec.template.spec.containers.some(container => container.securityContext && container.securityContext.runAsUser === null)) {`
			let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' permits containers to run as root.`);
			`Export(result);`
			`}`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- response`
Auto Template Signing [Tue Jun 25 11:14:32 UTC 2024] :robot: 2024-06-25 11:14:32 +00:00			`# digest: 4a0a00473045022100f14d422cbd57235a92be20140747bc11a4f73ab68bae70297a73e83b90da0e2b02200b47eb6fcdc4533cd22fe335ae241fd43a20d85df6f259b12d6b909cdd59dfbe:922c64590222798bb761d5b6d8e72950`