Skip to content

Add workload security hardening checks#1213

Draft
sthadka wants to merge 3 commits into
mainfrom
security/workload-hardening-checks
Draft

Add workload security hardening checks#1213
sthadka wants to merge 3 commits into
mainfrom
security/workload-hardening-checks

Conversation

@sthadka

@sthadka sthadka commented Jun 26, 2026

Copy link
Copy Markdown

Summary

  • Add 3 new workload-level security checks using CEL expressions
  • Enhance existing host-network check description to document service mesh mTLS bypass risk

New Checks

Check What it detects
init-container-security-gap Init containers running as root despite pod-level runAsNonRoot
projected-token-long-expiration Projected SA tokens with expirationSeconds > 24h
automount-service-account-token Pods with auto-mounted SA tokens that may not need K8s API access

Enhanced Checks

Check Change
host-network Description updated to warn about service mesh mTLS bypass

Test plan

  • Each new check has test manifests with pass and fail cases
  • host-network enhancement is description-only — no behavioral change
  • All checks use existing CEL expression template — no new Go code

Note: This PR was created with AI assistance using Claude Code.

Add 3 new checks (init-container-security-gap, projected-token-long-expiration,
automount-service-account-token) and enhance host-network check description
to document service mesh mTLS bypass risk.
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: be691d11-ba32-44df-bf00-2b269cf82546

📥 Commits

Reviewing files that changed from the base of the PR and between 7641681 and 736b4d1.

📒 Files selected for processing (1)
  • e2etests/bats-tests.sh

📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Added three new built-in security checks: automount-service-account-token, init-container-security-gap, and projected-token-long-expiration.
  • Documentation
    • Expanded the host-network check description and remediation with clearer security impact details and guidance.
  • Tests
    • Added new YAML fixtures and end-to-end Bats coverage for the new checks, including both passing and failing scenarios.

Walkthrough

Adds three built-in YAML checks for automounted service account tokens, init-container security gaps, and projected service account token expirations. It also expands host-network guidance text and adds YAML fixtures and end-to-end coverage for the new checks.

Changes

Security check YAML updates

Layer / File(s) Summary
Automount service account token check
pkg/builtinchecks/yamls/automount-service-account-token.yaml, tests/checks/automount-service-account-token.yml, e2etests/bats-tests.sh
Defines the automount-service-account-token check for DeploymentLike workloads and adds fixtures plus Bats coverage for omitted, false, and true pod template values.
Projected token expiration check
pkg/builtinchecks/yamls/projected-token-long-expiration.yaml, tests/checks/projected-token-long-expiration.yml, e2etests/bats-tests.sh
Defines the projected-token-long-expiration check for projected service account token volumes and adds fixtures plus Bats coverage for short and long expiration values.
Init-container security gap check
pkg/builtinchecks/yamls/init-container-security-gap.yaml, tests/checks/init-container-security-gap.yml, e2etests/bats-tests.sh
Defines the init-container-security-gap check for pod templates with runAsNonRoot: true and adds fixtures plus Bats coverage for no init container, hardened init container, and missing init-container security context.
HostNetwork guidance text
pkg/builtinchecks/yamls/hostnetwork.yaml
Expands the host-network description and remediation text into block scalars with additional details about mTLS, encryption, and host namespace sharing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding workload security hardening checks.
Description check ✅ Passed The description matches the changeset, listing the new checks and the host-network documentation update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/workload-hardening-checks

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/builtinchecks/yamls/automount-service-account-token.yaml`:
- Around line 14-17: The automount check in the YAML rule is over-flagging
because it treats a missing pod-level automountServiceAccountToken as
auto-mounted even when the referenced ServiceAccount disables it. Update the
logic in the check expression to account for the effective ServiceAccount
setting, or narrow the rule’s name/docs to explicitly describe pod-spec-only
behavior; use the existing object context in
automount-service-account-token.yaml to keep the rule aligned with its intent.

In `@pkg/builtinchecks/yamls/init-container-security-gap.yaml`:
- Around line 2-8: The rule metadata in init-container-security-gap.yaml
overstates what the builtin check enforces, since the current CEL only validates
runAsNonRoot and does not check readOnlyRootFilesystem. Update the description
and remediation tied to this rule to mention only runAsNonRoot, or extend the
actual check logic in the corresponding builtin rule to also validate
readOnlyRootFilesystem; keep the wording aligned with the implementation in the
rule content.

In `@pkg/builtinchecks/yamls/projected-token-long-expiration.yaml`:
- Around line 2-5: The projected-token-long-expiration check documentation and
logic are inconsistent: the description claims it also catches projected tokens
without explicit expirationSeconds, but the CEL in the
projected-token-long-expiration rule only matches when that field is present.
Update the rule in the projected-token-long-expiration YAML so the expression
handles the omitted-field case too, and make sure the associated fixtures cover
both explicit long expirations and missing expirationSeconds; if that case is
not intended, remove the claim from the description instead.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dd95f5ae-8e37-4068-b254-dbfe84f31b98

📥 Commits

Reviewing files that changed from the base of the PR and between eab6d87 and cedf582.

📒 Files selected for processing (7)
  • pkg/builtinchecks/yamls/automount-service-account-token.yaml
  • pkg/builtinchecks/yamls/hostnetwork.yaml
  • pkg/builtinchecks/yamls/init-container-security-gap.yaml
  • pkg/builtinchecks/yamls/projected-token-long-expiration.yaml
  • tests/checks/automount-service-account-token.yml
  • tests/checks/init-container-security-gap.yml
  • tests/checks/projected-token-long-expiration.yml

Comment thread pkg/builtinchecks/yamls/automount-service-account-token.yaml
Comment thread pkg/builtinchecks/yamls/init-container-security-gap.yaml Outdated
Comment thread pkg/builtinchecks/yamls/projected-token-long-expiration.yaml Outdated
sthadka added 2 commits June 26, 2026 09:06
- Fix init-container-security-gap description to match CEL (runAsNonRoot only)
- Fix projected-token-long-expiration description to remove missing-expiration claim
- Clarify automount-service-account-token checks pod spec only
- Regenerate docs/generated/checks.md and templates.md
Add bats test entries for automount-service-account-token,
init-container-security-gap, and projected-token-long-expiration
in correct alphabetical order.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant