diff --git a/cloud/kubernetes/deployments/k8s-privileged-container.yaml b/cloud/kubernetes/deployments/k8s-privileged-container.yaml index f1a401bf82..b37e429c23 100644 --- a/cloud/kubernetes/deployments/k8s-privileged-container.yaml +++ b/cloud/kubernetes/deployments/k8s-privileged-container.yaml @@ -4,11 +4,11 @@ info: name: Privileged Containers Found in Deployments author: princechaddha severity: critical - description: Checks for containers running in privileged mode within Kubernetes Deployments, which can pose significant security risks. + description: Checks for containers running in privileged mode within Kubernetes Deployments, and now also checks for user privileges and privilege escalation settings. impact: | - Running containers in privileged mode grants them access to host resources and could lead to security breaches if the container is compromised. + Running containers in privileged mode, as the root user, or with privilege escalation enabled can grant them access to host resources and could lead to security breaches if the container is compromised. remediation: | - Ensure that no container in Kubernetes Deployments runs in privileged mode. Modify the security context for each container to set `privileged: false`. + Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged tags: cloud,devops,kubernetes,k8s,devsecops,deployments @@ -36,13 +36,17 @@ code: javascript: - code: | deployment = JSON.parse(template.deployment); - if (deployment.spec.template.spec.containers.some(container => container.securityContext && container.securityContext.privileged)) { - let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is running one or more containers in privileged mode.`); - Export(result); + for (let container of deployment.spec.template.spec.containers) { + let sc = container.securityContext || {}; + if (sc.privileged || sc.runAsUser < 1000 || sc.allowPrivilegeEscalation) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is running container '${container.name}' with insecure settings: Privileged=${sc.privileged}, runAsUser=${sc.runAsUser}, allowPrivilegeEscalation=${sc.allowPrivilegeEscalation}.`); + Export(result); + break; + } } extractors: - type: dsl dsl: - response -# digest: 4a0a00473045022100f896dc71c39119ecfd505a21a22dfcec6e06896f4d4b528cec13cf998181dd3902203458b94c2d0bf33603b64f5aa503123505a983941b01b9d0aada0b8985666044:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file +# digest: 490a00463044022038295a725d25b77f920cfd32a5a407220f8f9c5faa37544670696f4cea356434022027fd56a2feae1101fe03c0d2e6e2452a2a89947f5c14e9711b8a744d11368b1e:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/deployments/k8s-host-network-namespace-shared.yaml b/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml similarity index 52% rename from cloud/kubernetes/deployments/k8s-host-network-namespace-shared.yaml rename to cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml index 50c0440a14..6564d3b93f 100644 --- a/cloud/kubernetes/deployments/k8s-host-network-namespace-shared.yaml +++ b/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml @@ -4,19 +4,19 @@ info: name: Host Network Namespace Sharing author: princechaddha severity: high - description: Checks if containers in Kubernetes Deployments are configured to share the host's network namespace, which can lead to security risks. + description: Checks if containers in Kubernetes Pods are configured to share the host's network namespace, which can lead to security risks. impact: | Sharing the host's network namespace allows containers to access the host network directly. This can lead to potential security breaches as containers might bypass network policies and gain unrestricted network access on the host. remediation: | - Ensure that the 'hostNetwork' field is set to false in all Kubernetes Deployments to prevent containers from sharing the host's network namespace. + Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces tags: cloud,devops,kubernetes,k8s,devsecops,namespace flow: | code(1); - for (let deployment of template.items) { - set("deployment", deployment) + for (let pod of template.items) { + set("pod", pod) javascript(1); } @@ -25,7 +25,7 @@ code: - engine: - sh - bash - source: kubectl get deployments --all-namespaces --output=json + source: kubectl get pods --all-namespaces --output=json extractors: - type: json name: items @@ -35,13 +35,13 @@ code: javascript: - code: | - deployment = JSON.parse(template.deployment); - if (deployment.spec.template.spec.hostNetwork) { - let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is configured to share the host's network namespace.`); + pod = JSON.parse(template.pod); + if (pod.spec.hostNetwork) { + let result = (`Pod '${pod.metadata.name}' in namespace '${pod.metadata.namespace}' is configured to share the host's network namespace.`); Export(result); } extractors: - type: dsl dsl: - response -# digest: 4b0a00483046022100cd66750a4f7a5b20df75d62c2f9321edc46cac18cfd5599f45adc232248d3653022100dff978e8738723e829177c98c67e250a3fa1f9f5b8fa36db590af252c936ef73:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file +# digest: 4b0a004830460221008eef4a8e8215cf69d36f0d94aa83b3531ce19730942b461b27842147f7f39973022100dfc800230845da0fe800dac62b006dc4a27d52a9b1684e7153165782e7d3472b:366f2a24c8eb519f6968bd8801c08ebe