Skip to content
Draft
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions pkg/builtinchecks/yamls/automount-service-account-token.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: automount-service-account-token
description: >-
Pod does not explicitly disable automatic mounting of the service account
token. If the workload does not call the Kubernetes API, the mounted token
is unnecessary attack surface.
remediation: >-
Set automountServiceAccountToken: false in the pod spec if the workload
does not need to interact with the Kubernetes API.
scope:
objectKinds:
- DeploymentLike
template: cel-expression
params:
check: >
(!has(object.spec.template.spec.automountServiceAccountToken) ||
object.spec.template.spec.automountServiceAccountToken == true)
? 'service account token is auto-mounted — set automountServiceAccountToken: false if not needed' : ''
Comment thread
coderabbitai[bot] marked this conversation as resolved.
11 changes: 9 additions & 2 deletions pkg/builtinchecks/yamls/hostnetwork.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
name: "host-network"
description: "Alert on pods/deployment-likes with sharing host's network namespace"
remediation: "Ensure the host's network namespace is not shared."
description: >-
Alert on pods/deployment-likes sharing the host's network namespace.
Pods with hostNetwork: true bypass service mesh mTLS, silently disabling
encryption for inter-service traffic. They also gain access to
network-level attacks against other pods on the same node.
remediation: >-
Ensure the host's network namespace is not shared. If host networking
is required, be aware that service mesh mTLS is bypassed and consider
alternative encryption for inter-service communication.
scope:
objectKinds:
- DeploymentLike
Expand Down
23 changes: 23 additions & 0 deletions pkg/builtinchecks/yamls/init-container-security-gap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: init-container-security-gap
description: >-
Init container does not set runAsNonRoot or readOnlyRootFilesystem while
the pod-level securityContext does. Init containers can run as root even
when main containers are hardened.
remediation: >-
Apply the same securityContext restrictions to init containers as to
regular containers.
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
scope:
objectKinds:
- DeploymentLike
template: cel-expression
params:
check: >
has(object.spec.template.spec.securityContext) &&
has(object.spec.template.spec.securityContext.runAsNonRoot) &&
object.spec.template.spec.securityContext.runAsNonRoot == true &&
has(object.spec.template.spec.initContainers) &&
object.spec.template.spec.initContainers.exists(c,
!has(c.securityContext) ||
!has(c.securityContext.runAsNonRoot) ||
c.securityContext.runAsNonRoot != true
) ? 'init container may run as root despite pod-level runAsNonRoot — apply securityContext to init containers' : ''
23 changes: 23 additions & 0 deletions pkg/builtinchecks/yamls/projected-token-long-expiration.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: projected-token-long-expiration
description: >-
Projected service account token volume with expirationSeconds > 24h or
without explicit expiration. Long-lived tokens extracted from compromised
pods remain valid indefinitely.
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
remediation: >-
Set expirationSeconds to 3600 (1 hour) or less unless the workload
specifically requires longer token lifetimes.
scope:
objectKinds:
- DeploymentLike
template: cel-expression
params:
check: >
has(object.spec.template.spec.volumes) &&
object.spec.template.spec.volumes.exists(v,
has(v.projected) &&
v.projected.sources.exists(s,
has(s.serviceAccountToken) &&
has(s.serviceAccountToken.expirationSeconds) &&
s.serviceAccountToken.expirationSeconds > 86400
)
) ? 'projected SA token with expirationSeconds > 24h — stolen tokens persist' : ''
35 changes: 35 additions & 0 deletions tests/checks/automount-service-account-token.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dont-fire
spec:
template:
spec:
automountServiceAccountToken: false
containers:
- name: app
image: app:v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fire-default-mount
spec:
template:
spec:
containers:
- name: app
image: app:v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fire-explicit-true
spec:
template:
spec:
automountServiceAccountToken: true
containers:
- name: app
image: app:v1
47 changes: 47 additions & 0 deletions tests/checks/init-container-security-gap.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dont-fire-no-init
spec:
template:
spec:
securityContext:
runAsNonRoot: true
containers:
- name: app
image: app:v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dont-fire-init-hardened
spec:
template:
spec:
securityContext:
runAsNonRoot: true
initContainers:
- name: init
image: init:v1
securityContext:
runAsNonRoot: true
containers:
- name: app
image: app:v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fire-init-no-security-context
spec:
template:
spec:
securityContext:
runAsNonRoot: true
initContainers:
- name: init
image: init:v1
containers:
- name: app
image: app:v1
36 changes: 36 additions & 0 deletions tests/checks/projected-token-long-expiration.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dont-fire-short-token
spec:
template:
spec:
containers:
- name: app
image: app:v1
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fire-long-token
spec:
template:
spec:
containers:
- name: app
image: app:v1
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 604800
path: token
Loading