Add workload security hardening checks#1213
Conversation
Add 3 new checks (init-container-security-gap, projected-token-long-expiration, automount-service-account-token) and enhance host-network check description to document service mesh mTLS bypass risk.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Central YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughAdds three built-in YAML checks for automounted service account tokens, init-container security gaps, and projected service account token expirations. It also expands host-network guidance text and adds YAML fixtures and end-to-end coverage for the new checks. ChangesSecurity check YAML updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/builtinchecks/yamls/automount-service-account-token.yaml`:
- Around line 14-17: The automount check in the YAML rule is over-flagging
because it treats a missing pod-level automountServiceAccountToken as
auto-mounted even when the referenced ServiceAccount disables it. Update the
logic in the check expression to account for the effective ServiceAccount
setting, or narrow the rule’s name/docs to explicitly describe pod-spec-only
behavior; use the existing object context in
automount-service-account-token.yaml to keep the rule aligned with its intent.
In `@pkg/builtinchecks/yamls/init-container-security-gap.yaml`:
- Around line 2-8: The rule metadata in init-container-security-gap.yaml
overstates what the builtin check enforces, since the current CEL only validates
runAsNonRoot and does not check readOnlyRootFilesystem. Update the description
and remediation tied to this rule to mention only runAsNonRoot, or extend the
actual check logic in the corresponding builtin rule to also validate
readOnlyRootFilesystem; keep the wording aligned with the implementation in the
rule content.
In `@pkg/builtinchecks/yamls/projected-token-long-expiration.yaml`:
- Around line 2-5: The projected-token-long-expiration check documentation and
logic are inconsistent: the description claims it also catches projected tokens
without explicit expirationSeconds, but the CEL in the
projected-token-long-expiration rule only matches when that field is present.
Update the rule in the projected-token-long-expiration YAML so the expression
handles the omitted-field case too, and make sure the associated fixtures cover
both explicit long expirations and missing expirationSeconds; if that case is
not intended, remove the claim from the description instead.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: dd95f5ae-8e37-4068-b254-dbfe84f31b98
📒 Files selected for processing (7)
pkg/builtinchecks/yamls/automount-service-account-token.yamlpkg/builtinchecks/yamls/hostnetwork.yamlpkg/builtinchecks/yamls/init-container-security-gap.yamlpkg/builtinchecks/yamls/projected-token-long-expiration.yamltests/checks/automount-service-account-token.ymltests/checks/init-container-security-gap.ymltests/checks/projected-token-long-expiration.yml
- Fix init-container-security-gap description to match CEL (runAsNonRoot only) - Fix projected-token-long-expiration description to remove missing-expiration claim - Clarify automount-service-account-token checks pod spec only - Regenerate docs/generated/checks.md and templates.md
Add bats test entries for automount-service-account-token, init-container-security-gap, and projected-token-long-expiration in correct alphabetical order.
Summary
host-networkcheck description to document service mesh mTLS bypass riskNew Checks
init-container-security-gapprojected-token-long-expirationautomount-service-account-tokenEnhanced Checks
host-networkTest plan