fix(kubernetes): validate seccomp profile at pod and container levels (…

…#5814)
prowler-cloud · Nov 19, 2024 · 7a4f5f3 · 7a4f5f3
1 parent e33b081
commit 7a4f5f3
Showing 1 changed file with 26 additions and 6 deletions.
diff --git a/.../services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py b/.../services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py
@@ -10,18 +10,38 @@ def execute(self) -> Check_Report_Kubernetes:
             report.namespace = pod.namespace
             report.resource_name = pod.name
             report.resource_id = pod.uid
-            if (
+
+            pod_seccomp_correct = (
                 pod.security_context
                 and pod.security_context.seccomp_profile
                 and pod.security_context.seccomp_profile.type == "RuntimeDefault"
-            ):
+            )
+            containers_seccomp_correct = True
+
+            # Check container-level seccomp profile
+            for container in pod.containers.values():
+                if not (
+                    container.security_context
+                    and container.security_context.seccomp_profile
+                    and container.security_context.seccomp_profile.type
+                    == "RuntimeDefault"
+                ):
+                    containers_seccomp_correct = False
+                    break
+
+            # Determine the report status
+            if pod_seccomp_correct or containers_seccomp_correct:
                 report.status = "PASS"
-                report.status_extended = (
-                    f"Pod {pod.name} has docker/default seccomp profile enabled."
-                )
+                report.status_extended = f"Pod {pod.name} and its containers have docker/default seccomp profile enabled."
             else:
                 report.status = "FAIL"
-                report.status_extended = f"Pod {pod.name} does not have docker/default seccomp profile enabled."
+                if not pod_seccomp_correct and not containers_seccomp_correct:
+                    report.status_extended = f"Pod {pod.name} does not have docker/default seccomp profile enabled at both pod and container levels."
+                elif not pod_seccomp_correct:
+                    report.status_extended = f"Pod {pod.name} does not have docker/default seccomp profile enabled at pod level."
+                else:
+                    report.status_extended = f"Pod {pod.name} does not have docker/default seccomp profile enabled at container level."
+
             findings.append(report)
 
         return findings