48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
id: k8s-root-container-admission
|
|
|
|
info:
|
|
name: Minimize the admission of root containers
|
|
author: princechaddha
|
|
severity: critical
|
|
description: Checks if any Kubernetes Deployments admit containers that run as root, which can pose a significant security risk.
|
|
impact: |
|
|
Allowing containers to run as root can lead to privilege escalation and unauthorized access to host resources, significantly compromising the security of the cluster.
|
|
remediation: |
|
|
Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations.
|
|
reference:
|
|
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
|
|
tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let deployment of template.items) {
|
|
set("deployment", deployment)
|
|
javascript(1);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: kubectl get deployments --all-namespaces --output=json
|
|
extractors:
|
|
- type: json
|
|
name: items
|
|
internal: true
|
|
json:
|
|
- '.items[]'
|
|
|
|
javascript:
|
|
- code: |
|
|
deployment = JSON.parse(template.deployment);
|
|
if (deployment.spec.template.spec.containers.some(container => container.securityContext && container.securityContext.runAsUser === null)) {
|
|
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' permits containers to run as root.`);
|
|
Export(result);
|
|
}
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- response
|
|
# digest: 4a0a00473045022100f14d422cbd57235a92be20140747bc11a4f73ab68bae70297a73e83b90da0e2b02200b47eb6fcdc4533cd22fe335ae241fd43a20d85df6f259b12d6b909cdd59dfbe:922c64590222798bb761d5b6d8e72950 |