Skip to content

Commit

Permalink
INSIGHTS-475 Add 3 new checks to polaris (#1082)
Browse files Browse the repository at this point in the history
* INSIGHTS-448 Add Two Polaris Checks

* Added another chec

* Added another chec

* Added another chec

* Added another chec

* Added another chec

* Added another chec

* Fixing issue

* Fixing issue

* Added another validation

* Added some tests cases

* Added some tests cases

* Update pkg/config/checks/hostProcess.yaml

* Update pkg/validator/pod_test.go

---------

Co-authored-by: Andy Suderman <andy@fairwinds.com>
  • Loading branch information
jdesouza and sudermanjr authored Nov 13, 2024
1 parent 4b87baf commit 4dd3a81
Show file tree
Hide file tree
Showing 15 changed files with 227 additions and 2 deletions.
3 changes: 3 additions & 0 deletions pkg/config/checks.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,14 @@ var (
"deploymentMissingReplicas",
// Pod checks
"hostIPCSet",
"hostPathSet",
"hostProcess",
"hostPIDSet",
"hostNetworkSet",
"automountServiceAccountToken",
"topologySpreadConstraint",
// Container checks
"procMount",
"memoryLimitsMissing",
"memoryRequestsMissing",
"cpuLimitsMissing",
Expand Down
16 changes: 16 additions & 0 deletions pkg/config/checks/hostPathSet.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
successMessage: HostPath volumes are not configured
failureMessage: HostPath volumes must be forbidden
category: Security
target: PodSpec
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
volumes:
type: array
items:
type: object
properties:
hostPath:
type: string
const: ''
31 changes: 31 additions & 0 deletions pkg/config/checks/hostProcess.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
successMessage: Privileged access to the host check is valid
failureMessage: Privileged access to the host is disallowed
category: Security
target: PodSpec
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
containers:
type: array
items:
type: object
properties:
securityContext:
type: object
properties:
windowsOptions:
type: object
properties:
hostProcess:
type: boolean
const: false
securityContext:
type: object
properties:
windowsOptions:
type: object
properties:
hostProcess:
type: boolean
const: false
19 changes: 19 additions & 0 deletions pkg/config/checks/procMount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
successMessage: The default /proc masks are set up to reduce attack surface, and should be required
failureMessage: Proc mount must not be changed from the default
category: Security
target: PodSpec
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
containers:
type: array
items:
type: object
properties:
securityContext:
type: object
properties:
procMount:
type: string
const: Default
3 changes: 3 additions & 0 deletions pkg/config/default.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,14 @@ checks:
# security
automountServiceAccountToken: warning
hostIPCSet: danger
hostPathSet: warning
hostProcess: warning
hostPIDSet: danger
linuxHardening: warning
missingNetworkPolicy: warning
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
procMount: warning
runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
Expand Down
3 changes: 3 additions & 0 deletions pkg/config/examples/config-full.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,14 @@ checks:
# security
automountServiceAccountToken: warning
hostIPCSet: danger
hostPathSet: warning
hostProcess: warning
hostPIDSet: danger
linuxHardening: danger
missingNetworkPolicy: warning
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
procMount: warning
runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
Expand Down
34 changes: 32 additions & 2 deletions pkg/validator/pod_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"testing"

"github.com/stretchr/testify/assert"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

conf "github.com/fairwindsops/polaris/pkg/config"
Expand All @@ -32,14 +33,17 @@ func TestValidatePod(t *testing.T) {
"hostPIDSet": conf.SeverityDanger,
"hostNetworkSet": conf.SeverityWarning,
"hostPortSet": conf.SeverityDanger,
"hostPathSet": conf.SeverityWarning,
"procMount": conf.SeverityWarning,
"hostProcess": conf.SeverityWarning,
},
}

p := test.MockPod()
deployment, err := kube.NewGenericResourceFromPod(p, nil)
assert.NoError(t, err)
expectedSum := CountSummary{
Successes: uint(4),
Successes: uint(7),
Warnings: uint(0),
Dangers: uint(0),
}
Expand All @@ -48,6 +52,9 @@ func TestValidatePod(t *testing.T) {
"hostIPCSet": {ID: "hostIPCSet", Message: "Host IPC is not configured", Success: true, Severity: "danger", Category: "Security"},
"hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"},
"hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"},
"hostPathSet": {ID: "hostPathSet", Message: "HostPath volumes are not configured", Success: true, Severity: "warning", Category: "Security"},
"procMount": {ID: "procMount", Message: "The default /proc masks are set up to reduce attack surface, and should be required", Success: true, Severity: "warning", Category: "Security"},
"hostProcess": {ID: "hostProcess", Message: "Privileged access to the host check is valid", Success: true, Severity: "warning", Category: "Security"},
}

actualPodResult, err := applyControllerSchemaChecks(&c, nil, deployment)
Expand All @@ -67,22 +74,45 @@ func TestInvalidIPCPod(t *testing.T) {
"hostPIDSet": conf.SeverityDanger,
"hostNetworkSet": conf.SeverityWarning,
"hostPortSet": conf.SeverityDanger,
"hostPathSet": conf.SeverityWarning,
"procMount": conf.SeverityWarning,
"hostProcess": conf.SeverityWarning,
},
}

p := test.MockPod()
p.Spec.HostIPC = true
p.Spec.Volumes = append(p.Spec.Volumes, v1.Volume{
Name: "hostpath",
VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{
Path: "/var/run/docker.sock",
},
},
})
procMount := v1.UnmaskedProcMount
p.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
ProcMount: &procMount,
}
hostProcess := true
p.Spec.Containers[0].SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{
HostProcess: &hostProcess,
}

workload, err := kube.NewGenericResourceFromPod(p, nil)
assert.NoError(t, err)
expectedSum := CountSummary{
Successes: uint(3),
Warnings: uint(0),
Warnings: uint(3),
Dangers: uint(1),
}
expectedResults := ResultSet{
"hostIPCSet": {ID: "hostIPCSet", Message: "Host IPC should not be configured", Success: false, Severity: "danger", Category: "Security"},
"hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"},
"hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"},
"hostPathSet": {ID: "hostPathSet", Message: "HostPath volumes must be forbidden", Success: false, Severity: "warning", Category: "Security"},
"procMount": {ID: "procMount", Message: "Proc mount must not be changed from the default", Success: false, Severity: "warning", Category: "Security"},
"hostProcess": {ID: "hostProcess", Message: "Privileged access to the host is disallowed", Success: false, Severity: "warning", Category: "Security"},
}

actualPodResult, err := applyControllerSchemaChecks(&c, nil, workload)
Expand Down
14 changes: 14 additions & 0 deletions test/checks/hostPathSet/failure.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
volumes:
- name: log-volume
hostPath:
path: /var/log
12 changes: 12 additions & 0 deletions test/checks/hostPathSet/success.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
volumes:
- name: log-volume
16 changes: 16 additions & 0 deletions test/checks/hostProcess/failure.container.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 8080
securityContext:
windowsOptions:
hostProcess: true
16 changes: 16 additions & 0 deletions test/checks/hostProcess/failure.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 8080
securityContext:
windowsOptions:
hostProcess: true
16 changes: 16 additions & 0 deletions test/checks/hostProcess/success.container.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 8080
securityContext:
windowsOptions:
hostProcess: false
16 changes: 16 additions & 0 deletions test/checks/hostProcess/success.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 8080
securityContext:
windowsOptions:
hostProcess: false
15 changes: 15 additions & 0 deletions test/checks/procMount/failure.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 8080
securityContext:
procMount: Other
15 changes: 15 additions & 0 deletions test/checks/procMount/success.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 8080
securityContext:
procMount: Default

0 comments on commit 4dd3a81

Please # to comment.