Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(kubernetes): validate seccomp profile at pod and container levels #5814

Merged
merged 1 commit into from
Nov 19, 2024
Merged

fix(kubernetes): validate seccomp profile at pod and container levels #5814

merged 1 commit into from
Nov 19, 2024

Conversation

MrCloudSec
Copy link
Member

Context

The issue highlights an incorrect validation in Prowler's Kubernetes check for ensuring that the docker/default seccomp profile is enabled in pods. The validation incorrectly flags pods with seccompProfile.type: RuntimeDefault as failing, despite this configuration being compliant.

The problem arises because the check does not fully account for cases where the RuntimeDefault profile is correctly set in the securityContext in the pod containers.

Fix #5803

Description

This PR updates the core_seccomp_profile_docker_default check to properly validate the seccomp profile at both the pod and container levels. The new implementation ensures:

  • Pods are validated for securityContext.seccompProfile.type: RuntimeDefault.
  • Each container within a pod is individually checked for securityContext.seccompProfile.type: RuntimeDefault.
  • The failure message specifies whether the issue lies at the pod level or within specific containers, making it easier for users to debug.

Checklist

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@MrCloudSec MrCloudSec requested review from a team as code owners November 18, 2024 20:38
@github-actions github-actions bot added the provider/kubernetes Issues/PRs related with the Kubernetes provider label Nov 18, 2024
@MrCloudSec MrCloudSec mentioned this pull request Nov 18, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Nov 18, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.90%. Comparing base (572d5a1) to head (36ab26a).
Report is 701 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5814      +/-   ##
==========================================
- Coverage   89.91%   89.90%   -0.01%     
==========================================
  Files        1133     1133              
  Lines       35308    35308              
==========================================
- Hits        31747    31745       -2     
- Misses       3561     3563       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

jfagoagas
jfagoagas approved these changes Nov 19, 2024
View reviewed changes
Copy link
Member

@jfagoagas jfagoagas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great fix 🥇

@jfagoagas jfagoagas merged commit 7a4f5f3 into master Nov 19, 2024
10 of 11 checks passed
@jfagoagas jfagoagas deleted the PRWLR-5402-cis-1-8-5-7-2-fails-even-though-seccomp-profile-is-set-to-run-time-default-5803 branch November 19, 2024 14:04
@prowler-bot prowler-bot mentioned this pull request Nov 19, 2024
Merged
@prowler-bot prowler-bot added the was-backported The PR was successfully backported to the target branch label Nov 19, 2024
@prowler-bot
Copy link
Collaborator

💚 All backports created successfully

Status Branch Result
v4.5

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

@jfagoagas jfagoagas added the backport-to-v4.5 Backport PR to the v4.5 branch label Dec 5, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jfagoagas jfagoagas jfagoagas approved these changes

Assignees
No one assigned
Labels
backport-to-v4.5 Backport PR to the v4.5 branch provider/kubernetes Issues/PRs related with the Kubernetes provider was-backported The PR was successfully backported to the target branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CIS 1.8 5.7.2 fails even though seccomp profile is set to runTimeDefault
3 participants
@MrCloudSec @prowler-bot @jfagoagas