diff --git a/pkg/apis/aquasecurity/v1alpha1/compliance_types.go b/pkg/apis/aquasecurity/v1alpha1/compliance_types.go index 479637baa..a678e5120 100644 --- a/pkg/apis/aquasecurity/v1alpha1/compliance_types.go +++ b/pkg/apis/aquasecurity/v1alpha1/compliance_types.go @@ -216,6 +216,7 @@ func FromDetailReport(sr *report.ComplianceReport) *ComplianceReport { Description: ms.Description, Severity: Severity(ms.Severity), Category: "Kubernetes Security Check", + Remediation: ms.Resolution, Messages: []string{ms.Message}, Success: false, }) diff --git a/pkg/compliance/io.go b/pkg/compliance/io.go index d15a39692..4436c333a 100644 --- a/pkg/compliance/io.go +++ b/pkg/compliance/io.go @@ -170,6 +170,7 @@ func reportsToResults(checks []v1alpha1.Check, name string, namespace string) tt Title: check.Title, Description: check.Description, Message: check.Description, + Resolution: check.Remediation, Severity: string(check.Severity), Status: status, }, diff --git a/pkg/configauditreport/controller/resource.go b/pkg/configauditreport/controller/resource.go index b90ad8c58..7eefac6c4 100644 --- a/pkg/configauditreport/controller/resource.go +++ b/pkg/configauditreport/controller/resource.go @@ -363,8 +363,9 @@ func getCheck(result scan.Result, id string) v1alpha1.Check { Severity: v1alpha1.Severity(result.Rule().Severity), Category: "Kubernetes Security Check", - Success: result.Status() == scan.StatusPassed, - Messages: []string{result.Description()}, + Success: result.Status() == scan.StatusPassed, + Messages: []string{result.Description()}, + Remediation: result.Rule().Resolution, } } diff --git a/pkg/operator/envtest/testdata/fixture/api-server-infraassessmentreport-expected.yaml b/pkg/operator/envtest/testdata/fixture/api-server-infraassessmentreport-expected.yaml index 889739f7f..0b981fe8d 100644 --- a/pkg/operator/envtest/testdata/fixture/api-server-infraassessmentreport-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/api-server-infraassessmentreport-expected.yaml @@ -17,92 +17,120 @@ metadata: uid: null report: checks: - - category: Kubernetes Security Check - checkID: KCV0022 - description: Rotate log files on reaching 100 MB or as appropriate. + - checkID: KCV0001 + title: Ensure that the --anonymous-auth argument is set to false + description: Disable anonymous requests to the API server. + severity: MEDIUM + category: Kubernetes Security Check messages: - - Ensure that the --audit-log-maxsize argument is set to 100 or as - appropriate - severity: LOW + - Ensure that the --anonymous-auth argument is set to false + remediation: Set '--anonymous-auth' to 'false'. success: false - title: Ensure that the --audit-log-maxsize argument is set to 100 or as + - checkID: KCV0006 + title: Ensure that the --kubelet-certificate-authority argument is set as appropriate - - category: Kubernetes Security Check - checkID: KCV0006 description: Verify kubelet's certificate before establishing connection. + severity: LOW + category: Kubernetes Security Check messages: - Ensure that the --kubelet-certificate-authority argument is set as appropriate - severity: LOW + remediation: "Follow the Kubernetes documentation and setup the TLS connection + between the apiserver and kubelets. " success: false - title: Ensure that the --kubelet-certificate-authority argument is set as - appropriate - - category: Kubernetes Security Check - checkID: KCV0001 - description: Disable anonymous requests to the API server. + - checkID: KCV0010 + title: Ensure that the admission control plugin EventRateLimit is set + description: Limit the rate at which the API server accepts requests. + severity: LOW + category: Kubernetes Security Check messages: - - Ensure that the --anonymous-auth argument is set to false - severity: MEDIUM + - Ensure that the admission control plugin EventRateLimit is set + remediation: Follow the Kubernetes documentation and set the desired limits in a + configuration file. Then, edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml and set the below + parameters. success: false - title: Ensure that the --anonymous-auth argument is set to false - - category: Kubernetes Security Check - checkID: KCV0020 - description: Retain the logs for at least 30 days or as appropriate. + - checkID: KCV0013 + title: Ensure that the admission control plugin SecurityContextDeny is set if + PodSecurityPolicy is not used + description: The SecurityContextDeny admission controller can be used to deny + pods which make use of some SecurityContext fields which could allow for + privilege escalation in the cluster. This should be used where + PodSecurityPolicy is not in place within the cluster. + severity: LOW + category: Kubernetes Security Check messages: - - Ensure that the --audit-log-maxage argument is set to 30 or as - appropriate + - Ensure that the admission control plugin SecurityContextDeny is set if + PodSecurityPolicy is not used + remediation: Edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node + and set the --enable-admission-plugins parameter to include + SecurityContextDeny, unless PodSecurityPolicy is already in place. + success: false + - checkID: KCV0018 + title: Ensure that the --profiling argument is set to false + description: Disable profiling, if not needed. severity: LOW + category: Kubernetes Security Check + messages: + - Ensure that the --profiling argument is set to false + remediation: Edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node + and set the below parameter. success: false - title: Ensure that the --audit-log-maxage argument is set to 30 or as - appropriate - - category: Kubernetes Security Check - checkID: KCV0019 + - checkID: KCV0019 + title: Ensure that the --audit-log-path argument is set description: Enable auditing on the Kubernetes API Server and set the desired audit log path. + severity: LOW + category: Kubernetes Security Check messages: - Ensure that the --audit-log-path argument is set - severity: LOW + remediation: Edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node + and set the --audit-log-path parameter. success: false - title: Ensure that the --audit-log-path argument is set - - category: Kubernetes Security Check - checkID: KCV0018 - description: Disable profiling, if not needed. - messages: - - Ensure that the --profiling argument is set to false + - checkID: KCV0020 + title: Ensure that the --audit-log-maxage argument is set to 30 or as + appropriate + description: Retain the logs for at least 30 days or as appropriate. severity: LOW + category: Kubernetes Security Check + messages: + - Ensure that the --audit-log-maxage argument is set to 30 or as + appropriate + remediation: Edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node + and set the --audit-log-maxage parameter to 30 or as an appropriate + number of days. success: false - title: Ensure that the --profiling argument is set to false - - category: Kubernetes Security Check - checkID: KCV0021 + - checkID: KCV0021 + title: Ensure that the --audit-log-maxbackup argument is set to 10 or as + appropriate description: Retain 10 or an appropriate number of old log files. + severity: LOW + category: Kubernetes Security Check messages: - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate - severity: LOW + remediation: Edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node + and set the --audit-log-maxbackup parameter to 10 or to an appropriate + value. success: false - title: Ensure that the --audit-log-maxbackup argument is set to 10 or as + - checkID: KCV0022 + title: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate - - category: Kubernetes Security Check - checkID: KCV0010 - description: Limit the rate at which the API server accepts requests. - messages: - - Ensure that the admission control plugin EventRateLimit is set + description: Rotate log files on reaching 100 MB or as appropriate. severity: LOW - success: false - title: Ensure that the admission control plugin EventRateLimit is set - - category: Kubernetes Security Check - checkID: KCV0013 - description: The SecurityContextDeny admission controller can be used to deny - pods which make use of some SecurityContext fields which could allow for - privilege escalation in the cluster. This should be used where - PodSecurityPolicy is not in place within the cluster. + category: Kubernetes Security Check messages: - - Ensure that the admission control plugin SecurityContextDeny is set if - PodSecurityPolicy is not used - severity: LOW + - Ensure that the --audit-log-maxsize argument is set to 100 or as + appropriate + remediation: Edit the API server pod specification file + /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node + and set the --audit-log-maxsize parameter to an appropriate size in MB success: false - title: Ensure that the admission control plugin SecurityContextDeny is set if - PodSecurityPolicy is not used scanner: name: Trivy vendor: Aqua Security diff --git a/pkg/operator/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml b/pkg/operator/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml index b8307947b..54317abdd 100644 --- a/pkg/operator/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml @@ -39,6 +39,7 @@ report: messages: - Container 'hello' of CronJob 'hello' should set 'securityContext.allowPrivilegeEscalation' to false + remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'. success: false - checkID: KSV003 title: "Default capabilities: some containers do not drop all" @@ -49,6 +50,7 @@ report: messages: - Container 'hello' of CronJob 'hello' should add 'ALL' to 'securityContext.capabilities.drop' + remediation: Add 'ALL' to containers[].securityContext.capabilities.drop. success: false - checkID: KSV011 title: CPU not limited @@ -57,6 +59,7 @@ report: category: Kubernetes Security Check messages: - Container 'hello' of CronJob 'hello' should set 'resources.limits.cpu' + remediation: Set a limit value under 'containers[].resources.limits.cpu'. success: false - checkID: KSV012 title: Runs as root user @@ -67,40 +70,42 @@ report: messages: - Container 'hello' of CronJob 'hello' should set 'securityContext.runAsNonRoot' to true + remediation: Set 'containers[].securityContext.runAsNonRoot' to true. success: false - checkID: KSV014 title: Root file system is not read-only description: An immutable root file system prevents applications from writing to - their local disk. This can limit intrusions, as attackers will not be - able to tamper with the file system or write foreign executables to - disk. + their local disk. This can limit intrusions, as attackers will not be able + to tamper with the file system or write foreign executables to disk. severity: LOW category: Kubernetes Security Check messages: - Container 'hello' of CronJob 'hello' should set 'securityContext.readOnlyRootFilesystem' to true + remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'. success: false - checkID: KSV015 title: CPU requests not specified description: When containers have resource requests specified, the scheduler can - make better decisions about which nodes to place pods on, and how to - deal with resource contention. + make better decisions about which nodes to place pods on, and how to deal + with resource contention. severity: LOW category: Kubernetes Security Check messages: - - Container 'hello' of CronJob 'hello' should set - 'resources.requests.cpu' + - Container 'hello' of CronJob 'hello' should set 'resources.requests.cpu' + remediation: Set 'containers[].resources.requests.cpu'. success: false - checkID: KSV016 title: Memory requests not specified description: When containers have memory requests specified, the scheduler can - make better decisions about which nodes to place pods on, and how to - deal with resource contention. + make better decisions about which nodes to place pods on, and how to deal + with resource contention. severity: LOW category: Kubernetes Security Check messages: - Container 'hello' of CronJob 'hello' should set 'resources.requests.memory' + remediation: Set 'containers[].resources.requests.memory'. success: false - checkID: KSV018 title: Memory not limited @@ -108,8 +113,8 @@ report: severity: LOW category: Kubernetes Security Check messages: - - Container 'hello' of CronJob 'hello' should set - 'resources.limits.memory' + - Container 'hello' of CronJob 'hello' should set 'resources.limits.memory' + remediation: Set a limit value under 'containers[].resources.limits.memory'. success: false - checkID: KSV020 title: Runs with UID <= 10000 @@ -120,6 +125,7 @@ report: messages: - Container 'hello' of CronJob 'hello' should set 'securityContext.runAsUser' > 10000 + remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000. success: false - checkID: KSV021 title: Runs with GID <= 10000 @@ -130,6 +136,7 @@ report: messages: - Container 'hello' of CronJob 'hello' should set 'securityContext.runAsGroup' > 10000 + remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000. success: false - checkID: KSV030 title: Runtime/Default Seccomp profile not set @@ -138,8 +145,12 @@ report: severity: LOW category: Kubernetes Security Check messages: - - Either Pod or Container should set - 'securityContext.seccompProfile.type' to 'RuntimeDefault' + - Either Pod or Container should set 'securityContext.seccompProfile.type' + to 'RuntimeDefault' + remediation: Set 'spec.securityContext.seccompProfile.type', + 'spec.containers[*].securityContext.seccompProfile' and + 'spec.initContainers[*].securityContext.seccompProfile' to + 'RuntimeDefault' or undefined. success: false - checkID: KSV104 title: Seccomp policies disabled @@ -149,6 +160,8 @@ report: messages: - container hello of cronjob hello in default namespace should specify a seccomp profile + remediation: Specify seccomp either by annotation or by seccomp profile type + having allowed values as per pod security standards success: false - checkID: KSV106 title: Container capabilities must only include NET_BIND_SERVICE @@ -158,6 +171,9 @@ report: category: Kubernetes Security Check messages: - container should drop all + remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' + and only add 'NET_BIND_SERVICE' to + 'spec.containers[*].securityContext.capabilities.add'. success: false - checkID: KSV110 title: Workloads in the default namespace @@ -167,12 +183,12 @@ report: messages: - cronjob hello in default namespace should set metadata.namespace to a non-default namespace + remediation: Set 'metadata.namespace' to a non-default namespace. success: false - checkID: KSV116 title: Runs with a root primary or supplementary GID description: According to pod security standard 'Non-root groups', containers - should be forbidden from running with a root primary or supplementary - GID. + should be forbidden from running with a root primary or supplementary GID. severity: LOW category: Kubernetes Security Check messages: @@ -180,6 +196,8 @@ report: spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0 + remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer + or leave undefined. success: false - checkID: KSV118 title: Default security context configured @@ -192,4 +210,8 @@ report: messages: - cronjob hello in default namespace is using the default security context, which allows root privileges + remediation: To enhance security, it is strongly recommended not to rely on the + default security context. Instead, it is advisable to explicitly define + the required security parameters (such as runAsNonRoot, capabilities, + readOnlyRootFilesystem, etc.) within the security context. success: false diff --git a/pkg/operator/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml b/pkg/operator/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml index d1e74501e..17e8c7c66 100644 --- a/pkg/operator/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml @@ -39,6 +39,8 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'securityContext.allowPrivilegeEscalation' to false + remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to + 'false'. success: false - checkID: KSV003 title: "Default capabilities: some containers do not drop all" @@ -49,6 +51,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should add 'ALL' to 'securityContext.capabilities.drop' + remediation: Add 'ALL' to containers[].securityContext.capabilities.drop. success: false - checkID: KSV011 title: CPU not limited @@ -58,6 +61,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'resources.limits.cpu' + remediation: Set a limit value under 'containers[].resources.limits.cpu'. success: false - checkID: KSV012 title: Runs as root user @@ -68,6 +72,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'securityContext.runAsNonRoot' to true + remediation: Set 'containers[].securityContext.runAsNonRoot' to true. success: false - checkID: KSV014 title: Root file system is not read-only @@ -80,6 +85,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'securityContext.readOnlyRootFilesystem' to true + remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'. success: false - checkID: KSV015 title: CPU requests not specified @@ -91,6 +97,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'resources.requests.cpu' + remediation: Set 'containers[].resources.requests.cpu'. success: false - checkID: KSV016 title: Memory requests not specified @@ -102,6 +109,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'resources.requests.memory' + remediation: Set 'containers[].resources.requests.memory'. success: false - checkID: KSV018 title: Memory not limited @@ -111,6 +119,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'resources.limits.memory' + remediation: Set a limit value under 'containers[].resources.limits.memory'. success: false - checkID: KSV020 title: Runs with UID <= 10000 @@ -121,6 +130,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'securityContext.runAsUser' > 10000 + remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000. success: false - checkID: KSV021 title: Runs with GID <= 10000 @@ -131,6 +141,7 @@ report: messages: - Container 'fluentd-elasticsearch' of DaemonSet 'fluentd-elasticsearch' should set 'securityContext.runAsGroup' > 10000 + remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000. success: false - checkID: KSV030 title: Runtime/Default Seccomp profile not set @@ -141,6 +152,10 @@ report: messages: - Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' + remediation: Set 'spec.securityContext.seccompProfile.type', + 'spec.containers[*].securityContext.seccompProfile' and + 'spec.initContainers[*].securityContext.seccompProfile' to + 'RuntimeDefault' or undefined. success: false - checkID: KSV104 title: Seccomp policies disabled @@ -150,6 +165,8 @@ report: messages: - container fluentd-elasticsearch of daemonset fluentd-elasticsearch in default namespace should specify a seccomp profile + remediation: Specify seccomp either by annotation or by seccomp profile type + having allowed values as per pod security standards success: false - checkID: KSV106 title: Container capabilities must only include NET_BIND_SERVICE @@ -159,6 +176,9 @@ report: category: Kubernetes Security Check messages: - container should drop all + remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' + and only add 'NET_BIND_SERVICE' to + 'spec.containers[*].securityContext.capabilities.add'. success: false - checkID: KSV110 title: Workloads in the default namespace @@ -168,6 +188,7 @@ report: messages: - daemonset fluentd-elasticsearch in default namespace should set metadata.namespace to a non-default namespace + remediation: Set 'metadata.namespace' to a non-default namespace. success: false - checkID: KSV116 title: Runs with a root primary or supplementary GID @@ -181,6 +202,8 @@ report: spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0 + remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer + or leave undefined. success: false - checkID: KSV118 title: Default security context configured @@ -193,4 +216,8 @@ report: messages: - daemonset fluentd-elasticsearch in default namespace is using the default security context, which allows root privileges + remediation: To enhance security, it is strongly recommended not to rely on the + default security context. Instead, it is advisable to explicitly define + the required security parameters (such as runAsNonRoot, capabilities, + readOnlyRootFilesystem, etc.) within the security context. success: false diff --git a/pkg/operator/envtest/testdata/fixture/job-configauditreport-expected.yaml b/pkg/operator/envtest/testdata/fixture/job-configauditreport-expected.yaml index 51edac58b..533baa4d4 100644 --- a/pkg/operator/envtest/testdata/fixture/job-configauditreport-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/job-configauditreport-expected.yaml @@ -39,6 +39,8 @@ report: messages: - Container 'pi' of Job 'pi' should set 'securityContext.allowPrivilegeEscalation' to false + remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to + 'false'. success: false - checkID: KSV003 title: "Default capabilities: some containers do not drop all" @@ -49,6 +51,7 @@ report: messages: - Container 'pi' of Job 'pi' should add 'ALL' to 'securityContext.capabilities.drop' + remediation: Add 'ALL' to containers[].securityContext.capabilities.drop. success: false - checkID: KSV011 title: CPU not limited @@ -57,6 +60,7 @@ report: category: Kubernetes Security Check messages: - Container 'pi' of Job 'pi' should set 'resources.limits.cpu' + remediation: Set a limit value under 'containers[].resources.limits.cpu'. success: false - checkID: KSV012 title: Runs as root user @@ -67,6 +71,7 @@ report: messages: - Container 'pi' of Job 'pi' should set 'securityContext.runAsNonRoot' to true + remediation: Set 'containers[].securityContext.runAsNonRoot' to true. success: false - checkID: KSV014 title: Root file system is not read-only @@ -79,6 +84,7 @@ report: messages: - Container 'pi' of Job 'pi' should set 'securityContext.readOnlyRootFilesystem' to true + remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'. success: false - checkID: KSV015 title: CPU requests not specified @@ -89,6 +95,7 @@ report: category: Kubernetes Security Check messages: - Container 'pi' of Job 'pi' should set 'resources.requests.cpu' + remediation: Set 'containers[].resources.requests.cpu'. success: false - checkID: KSV016 title: Memory requests not specified @@ -99,6 +106,7 @@ report: category: Kubernetes Security Check messages: - Container 'pi' of Job 'pi' should set 'resources.requests.memory' + remediation: Set 'containers[].resources.requests.memory'. success: false - checkID: KSV018 title: Memory not limited @@ -107,6 +115,7 @@ report: category: Kubernetes Security Check messages: - Container 'pi' of Job 'pi' should set 'resources.limits.memory' + remediation: Set a limit value under 'containers[].resources.limits.memory'. success: false - checkID: KSV020 title: Runs with UID <= 10000 @@ -117,6 +126,7 @@ report: messages: - Container 'pi' of Job 'pi' should set 'securityContext.runAsUser' > 10000 + remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000. success: false - checkID: KSV021 title: Runs with GID <= 10000 @@ -127,6 +137,7 @@ report: messages: - Container 'pi' of Job 'pi' should set 'securityContext.runAsGroup' > 10000 + remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000. success: false - checkID: KSV030 title: Runtime/Default Seccomp profile not set @@ -137,6 +148,10 @@ report: messages: - Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' + remediation: Set 'spec.securityContext.seccompProfile.type', + 'spec.containers[*].securityContext.seccompProfile' and + 'spec.initContainers[*].securityContext.seccompProfile' to + 'RuntimeDefault' or undefined. success: false - checkID: KSV104 title: Seccomp policies disabled @@ -146,6 +161,8 @@ report: messages: - container pi of job pi in default namespace should specify a seccomp profile + remediation: Specify seccomp either by annotation or by seccomp profile type + having allowed values as per pod security standards success: false - checkID: KSV106 title: Container capabilities must only include NET_BIND_SERVICE @@ -155,6 +172,9 @@ report: category: Kubernetes Security Check messages: - container should drop all + remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' + and only add 'NET_BIND_SERVICE' to + 'spec.containers[*].securityContext.capabilities.add'. success: false - checkID: KSV110 title: Workloads in the default namespace @@ -164,6 +184,7 @@ report: messages: - job pi in default namespace should set metadata.namespace to a non-default namespace + remediation: Set 'metadata.namespace' to a non-default namespace. success: false - checkID: KSV116 title: Runs with a root primary or supplementary GID @@ -177,6 +198,8 @@ report: spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0 + remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer + or leave undefined. success: false - checkID: KSV118 title: Default security context configured @@ -189,4 +212,8 @@ report: messages: - job pi in default namespace is using the default security context, which allows root privileges + remediation: To enhance security, it is strongly recommended not to rely on the + default security context. Instead, it is advisable to explicitly define + the required security parameters (such as runAsNonRoot, capabilities, + readOnlyRootFilesystem, etc.) within the security context. success: false diff --git a/pkg/operator/envtest/testdata/fixture/pod-configauditreport-expected.yaml b/pkg/operator/envtest/testdata/fixture/pod-configauditreport-expected.yaml index a9628d11e..263c6c1d4 100644 --- a/pkg/operator/envtest/testdata/fixture/pod-configauditreport-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/pod-configauditreport-expected.yaml @@ -39,6 +39,8 @@ report: messages: - Container 'app' of Pod 'my-pod' should set 'securityContext.allowPrivilegeEscalation' to false + remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to + 'false'. success: false - checkID: KSV003 title: "Default capabilities: some containers do not drop all" @@ -49,6 +51,7 @@ report: messages: - Container 'app' of Pod 'my-pod' should add 'ALL' to 'securityContext.capabilities.drop' + remediation: Add 'ALL' to containers[].securityContext.capabilities.drop. success: false - checkID: KSV011 title: CPU not limited @@ -57,6 +60,7 @@ report: category: Kubernetes Security Check messages: - Container 'app' of Pod 'my-pod' should set 'resources.limits.cpu' + remediation: Set a limit value under 'containers[].resources.limits.cpu'. success: false - checkID: KSV012 title: Runs as root user @@ -67,6 +71,7 @@ report: messages: - Container 'app' of Pod 'my-pod' should set 'securityContext.runAsNonRoot' to true + remediation: Set 'containers[].securityContext.runAsNonRoot' to true. success: false - checkID: KSV014 title: Root file system is not read-only @@ -79,6 +84,7 @@ report: messages: - Container 'app' of Pod 'my-pod' should set 'securityContext.readOnlyRootFilesystem' to true + remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'. success: false - checkID: KSV015 title: CPU requests not specified @@ -89,6 +95,7 @@ report: category: Kubernetes Security Check messages: - Container 'app' of Pod 'my-pod' should set 'resources.requests.cpu' + remediation: Set 'containers[].resources.requests.cpu'. success: false - checkID: KSV016 title: Memory requests not specified @@ -99,6 +106,7 @@ report: category: Kubernetes Security Check messages: - Container 'app' of Pod 'my-pod' should set 'resources.requests.memory' + remediation: Set 'containers[].resources.requests.memory'. success: false - checkID: KSV018 title: Memory not limited @@ -107,6 +115,7 @@ report: category: Kubernetes Security Check messages: - Container 'app' of Pod 'my-pod' should set 'resources.limits.memory' + remediation: Set a limit value under 'containers[].resources.limits.memory'. success: false - checkID: KSV020 title: Runs with UID <= 10000 @@ -117,6 +126,7 @@ report: messages: - Container 'app' of Pod 'my-pod' should set 'securityContext.runAsUser' > 10000 + remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000. success: false - checkID: KSV021 title: Runs with GID <= 10000 @@ -127,6 +137,7 @@ report: messages: - Container 'app' of Pod 'my-pod' should set 'securityContext.runAsGroup' > 10000 + remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000. success: false - checkID: KSV030 title: Runtime/Default Seccomp profile not set @@ -137,6 +148,10 @@ report: messages: - Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' + remediation: Set 'spec.securityContext.seccompProfile.type', + 'spec.containers[*].securityContext.seccompProfile' and + 'spec.initContainers[*].securityContext.seccompProfile' to + 'RuntimeDefault' or undefined. success: false - checkID: KSV104 title: Seccomp policies disabled @@ -146,6 +161,8 @@ report: messages: - container app of pod my-pod in default namespace should specify a seccomp profile + remediation: Specify seccomp either by annotation or by seccomp profile type + having allowed values as per pod security standards success: false - checkID: KSV106 title: Container capabilities must only include NET_BIND_SERVICE @@ -155,6 +172,9 @@ report: category: Kubernetes Security Check messages: - container should drop all + remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' + and only add 'NET_BIND_SERVICE' to + 'spec.containers[*].securityContext.capabilities.add'. success: false - checkID: KSV110 title: Workloads in the default namespace @@ -164,6 +184,7 @@ report: messages: - pod my-pod in default namespace should set metadata.namespace to a non-default namespace + remediation: Set 'metadata.namespace' to a non-default namespace. success: false - checkID: KSV116 title: Runs with a root primary or supplementary GID @@ -177,6 +198,8 @@ report: spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0 + remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer + or leave undefined. success: false - checkID: KSV118 title: Default security context configured @@ -189,4 +212,8 @@ report: messages: - pod my-pod in default namespace is using the default security context, which allows root privileges + remediation: To enhance security, it is strongly recommended not to rely on the + default security context. Instead, it is advisable to explicitly define + the required security parameters (such as runAsNonRoot, capabilities, + readOnlyRootFilesystem, etc.) within the security context. success: false diff --git a/pkg/operator/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml b/pkg/operator/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml index af3a0e0e0..7b4e1bf50 100644 --- a/pkg/operator/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml @@ -39,6 +39,8 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'securityContext.allowPrivilegeEscalation' to false + remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to + 'false'. success: false - checkID: KSV003 title: "Default capabilities: some containers do not drop all" @@ -49,6 +51,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should add 'ALL' to 'securityContext.capabilities.drop' + remediation: Add 'ALL' to containers[].securityContext.capabilities.drop. success: false - checkID: KSV011 title: CPU not limited @@ -58,6 +61,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'resources.limits.cpu' + remediation: Set a limit value under 'containers[].resources.limits.cpu'. success: false - checkID: KSV012 title: Runs as root user @@ -68,6 +72,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'securityContext.runAsNonRoot' to true + remediation: Set 'containers[].securityContext.runAsNonRoot' to true. success: false - checkID: KSV014 title: Root file system is not read-only @@ -80,6 +85,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'securityContext.readOnlyRootFilesystem' to true + remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'. success: false - checkID: KSV015 title: CPU requests not specified @@ -91,6 +97,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'resources.requests.cpu' + remediation: Set 'containers[].resources.requests.cpu'. success: false - checkID: KSV016 title: Memory requests not specified @@ -102,6 +109,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'resources.requests.memory' + remediation: Set 'containers[].resources.requests.memory'. success: false - checkID: KSV018 title: Memory not limited @@ -111,6 +119,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'resources.limits.memory' + remediation: Set a limit value under 'containers[].resources.limits.memory'. success: false - checkID: KSV020 title: Runs with UID <= 10000 @@ -121,6 +130,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'securityContext.runAsUser' > 10000 + remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000. success: false - checkID: KSV021 title: Runs with GID <= 10000 @@ -131,6 +141,7 @@ report: messages: - Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set 'securityContext.runAsGroup' > 10000 + remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000. success: false - checkID: KSV030 title: Runtime/Default Seccomp profile not set @@ -141,6 +152,10 @@ report: messages: - Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' + remediation: Set 'spec.securityContext.seccompProfile.type', + 'spec.containers[*].securityContext.seccompProfile' and + 'spec.initContainers[*].securityContext.seccompProfile' to + 'RuntimeDefault' or undefined. success: false - checkID: KSV104 title: Seccomp policies disabled @@ -150,6 +165,8 @@ report: messages: - container wordpress of replicaset wordpress-84bbf6f4dd in default namespace should specify a seccomp profile + remediation: Specify seccomp either by annotation or by seccomp profile type + having allowed values as per pod security standards success: false - checkID: KSV106 title: Container capabilities must only include NET_BIND_SERVICE @@ -159,6 +176,9 @@ report: category: Kubernetes Security Check messages: - container should drop all + remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' + and only add 'NET_BIND_SERVICE' to + 'spec.containers[*].securityContext.capabilities.add'. success: false - checkID: KSV110 title: Workloads in the default namespace @@ -168,6 +188,7 @@ report: messages: - replicaset wordpress-84bbf6f4dd in default namespace should set metadata.namespace to a non-default namespace + remediation: Set 'metadata.namespace' to a non-default namespace. success: false - checkID: KSV116 title: Runs with a root primary or supplementary GID @@ -181,6 +202,8 @@ report: spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0 + remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer + or leave undefined. success: false - checkID: KSV118 title: Default security context configured @@ -193,4 +216,8 @@ report: messages: - replicaset wordpress-84bbf6f4dd in default namespace is using the default security context, which allows root privileges + remediation: To enhance security, it is strongly recommended not to rely on the + default security context. Instead, it is advisable to explicitly define + the required security parameters (such as runAsNonRoot, capabilities, + readOnlyRootFilesystem, etc.) within the security context. success: false diff --git a/pkg/operator/envtest/testdata/fixture/role-rbacassessment-expected.yaml b/pkg/operator/envtest/testdata/fixture/role-rbacassessment-expected.yaml index c739bbb39..dbdfcab29 100644 --- a/pkg/operator/envtest/testdata/fixture/role-rbacassessment-expected.yaml +++ b/pkg/operator/envtest/testdata/fixture/role-rbacassessment-expected.yaml @@ -28,6 +28,8 @@ report: messages: - Role 'proxy' shouldn't have access to manage secrets in namespace 'default' + remediation: Manage namespace secrets are not allowed. Remove resource 'secrets' + from role success: false - checkID: KSV116 title: Runs with a root primary or supplementary GID @@ -41,6 +43,8 @@ report: spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0 + remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer + or leave undefined. success: false scanner: name: Trivy