Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(misconf): Kubernetes Security Check Flagging KSV020 and KSV021 when configured at pod level #8210

Open
2 tasks done
simar7 opened this issue Jan 7, 2025 Discussed in #8208 · 0 comments
Open
2 tasks done

fix(misconf): Kubernetes Security Check Flagging KSV020 and KSV021 when configured at pod level #8210

simar7 opened this issue Jan 7, 2025 Discussed in #8208 · 0 comments
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.59.0

Comments

@simar7
Copy link
Member

simar7 commented Jan 7, 2025

We should check spec.securityContext first on a pod level prior as well.

Discussed in #8208

Originally posted by gysel January 7, 2025

Description

This has already been reported as #1187. Back then rule bugs were handled in a different project and the issue has been closed. But the bug still exists and rule bugs seem to be handled in this project meanwhile.

With Pod definition

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 10001
    runAsGroup: 30001
    fsGroup: 20001
    runAsNonRoot: true
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox:42
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: false
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true

Desired Behavior

No issues are reported.

Actual Behavior

trivy flags the following issues:

trivy config userid.yaml --report all 
2025-01-07T16:15:45+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:15:46+01:00       INFO    Detected config files   num=1

userid.yaml (kubernetes)

Tests: 93 (SUCCESSES: 91, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

AVD-KSV-0020 (LOW): Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsUser' > 10000
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv020
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 userid.yaml:15-35
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌   - name: sec-ctx-demo
  16 │     image: busybox:42
  17 │     command: [ "sh", "-c", "sleep 1h" ]
  18 │     volumeMounts:
  19 │     - name: sec-ctx-vol
  20 │       mountPath: /data/demo
  21 │     resources:
  22 │       requests:
  23 └         cpu: 100m
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0021 (LOW): Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsGroup' > 10000
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv021
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 userid.yaml:15-35
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌   - name: sec-ctx-demo
  16 │     image: busybox:42
  17 │     command: [ "sh", "-c", "sleep 1h" ]
  18 │     volumeMounts:
  19 │     - name: sec-ctx-vol
  20 │       mountPath: /data/demo
  21 │     resources:
  22 │       requests:
  23 └         cpu: 100m
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Reproduction Steps

n/a

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

None

Debug Output

n/a

Operating System

any

Version

$ trivy --version
Version: 0.58.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-07 12:17:19.537622748 +0000 UTC
  NextUpdate: 2025-01-08 12:17:19.537622377 +0000 UTC
  DownloadedAt: 2025-01-07 14:28:19.180589985 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-30 05:06:53.947339247 +0000 UTC
  NextUpdate: 2025-01-02 05:06:53.947339087 +0000 UTC
  DownloadedAt: 2025-01-03 16:58:50.359104369 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2025-01-07 14:48:44.292573883 +0000 UTC

Checklist
@simar7 simar7 added the kind/bug Categorizes issue or PR as related to a bug. label Jan 7, 2025
@simar7 simar7 added this to the v0.59.0 milestone Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Trivy Roadmap
Status: No status
Milestone
v0.59.0
Development

No branches or pull requests
2 participants
@simar7 @nikpivkin