Merge pull request #694 from esticansat/fix-604-seccomp-rule-update

Fix for issue #604 - Seccomp rules check updates

Author: 06kellyjac

README.md

@@ -295,7 +295,7 @@ $ kubesec ./score-9-deployment.yml | jq --exit-status '.score > 10' >/dev/null
 
 ## Example output
 
-Kubesec returns a returns a JSON array, and can scan multiple YAML documents in a single input file.
+Kubesec returns a JSON array, and can scan multiple YAML documents in a single input file.
 
 ```json
 [
@@ -327,15 +327,21 @@ Kubesec returns a returns a JSON array, and can scan multiple YAML documents in
 ]
 ```
 
+> [!NOTE]
+> You can also cat multiple files, as long as they're correctly formatted as multiple documents separated by `---`. E.g.
+> ```
+> { cat test/asset/multi.yml;
+> echo "---";
+> cat test/asset/critical-double-multiple.yml;
+> } | dist/kubesec scan -
+> ```
+
 ---
 
-## Contributors
 
-Thanks to our awesome contributors!
+## Contributing
 
-- [Andrew Martin](@sublimino)
-- [Stefan Prodan](@stefanprodan)
-- [Jack Kelly](@06kellyjac)
+Check out [CONTRIBUTING.md](CONTRIBUTING.md) for more information.
 
 ## Getting Help
 
@@ -348,7 +354,7 @@ If you have any questions about Kubesec and Kubernetes security:
 Your feedback is always welcome!
 
 [testing_workflow]: https://github.com/controlplaneio/kubesec/actions?query=workflow%3ATesting
-[testing_workflow_badge]: https://github.com/controlplaneio/kubesec/workflows/Testing/badge.svg
+[testing_workflow_badge]: https://github.com/controlplaneio/kubesec/actions/workflows/test_acceptance.yml/badge.svg
 [security_workflow]: https://github.com/controlplaneio/kubesec/actions?query=workflow%3A%22Security+Analysis%22
 [security_workflow_badge]: https://github.com/controlplaneio/kubesec/workflows/Security%20Analysis/badge.svg
 [release_workflow]: https://github.com/controlplaneio/kubesec/actions?query=workflow%3ARelease

pkg/ruler/ruleset.go

@@ -230,7 +230,7 @@ func NewRuleset(logger *zap.SugaredLogger) *Ruleset {
 	seccompAnyRule := Rule{
 		Predicate: rules.SeccompAny,
 		ID:        "SeccompAny",
-		Selector:  ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
+		Selector:  ".spec .securityContext .seccompProfile .type | .spec .containers[] .securityContext .seccompProfile .type | .spec .initContainers[] .securityContext .seccompProfile .type | .spec .ephemeralContainers[] .securityContext .seccompProfile .type",
 		Reason:    "Seccomp profiles set minimum privilege and secure against unknown threats",
 		Kinds:     []string{"Pod", "Deployment", "StatefulSet", "DaemonSet"},
 		Points:    1,
@@ -240,7 +240,7 @@ func NewRuleset(logger *zap.SugaredLogger) *Ruleset {
 	seccompUnconfinedRule := Rule{
 		Predicate: rules.SeccompUnconfined,
 		ID:        "SeccompUnconfined",
-		Selector:  ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
+		Selector:  ".spec .securityContext .seccompProfile .type | .spec .containers[] .securityContext .seccompProfile .type | .spec .initContainers[] .securityContext .seccompProfile .type | .spec .ephemeralContainers[] .securityContext .seccompProfile .type",
 		Reason:    "Unconfined Seccomp profiles have full system call access",
 		Kinds:     []string{"Pod", "Deployment", "StatefulSet", "DaemonSet"},
 		Points:    -1,

pkg/rules/helper.go

@@ -41,6 +41,7 @@ func checkSecurityContext(json []byte, checkPodSecurityContext bool, checkFn che
 
 	containersLen := jq.Copy().From(spec + ".containers").Count()
 	initContainersLen := jq.Copy().From(spec + ".initContainers").Count()
+	ephemeralContainersLen := jq.Copy().From(spec + ".ephemeralContainers").Count()
 
 	var valid int
 
@@ -60,6 +61,7 @@ func checkSecurityContext(json []byte, checkPodSecurityContext bool, checkFn che
 
 	ctnFn(initContainersLen, "initContainers")
 	ctnFn(containersLen, "containers")
+	ctnFn(ephemeralContainersLen, "ephemeralContainers")
 
 	return valid
 }

pkg/rules/seccompAny.go

@@ -1,42 +1,35 @@
 package rules
 
 import (
-	"bytes"
-	"fmt"
 	"github.com/thedevsaddam/gojsonq/v2"
-	"regexp"
-	"strings"
 )
 
-// TODO(ajm): tighten these matches, they could be "[seccomp..." or " seccomp...", and "unconfined]" or "unconfined "
-// TODO(ajm): space delimiting matches is insufficient as this could be set to `unconfined blah`
-func SeccompAny(json []byte) int {
-	containers := 0
-	startWordBoundaryRegex := "[\\[ ]"
-	endWordBoundaryRegex := "[\\] ]"
-
-	capDrop := gojsonq.New().Reader(bytes.NewReader(json)).
-		From("metadata.annotations").Get()
-
-	capDropString := fmt.Sprintf("%v", capDrop)
+// isSeccompUnconfined checks the seccompProfile.type field and returns a checkSecurityContextResult struct.
+// If the field is set then unset=false. If, on top of that, the value of Unconfined matches the expected value
+// then return valid=true.
+func isSeccompUnconfined(jq *gojsonq.JSONQ, expectedUnconfined bool) checkSecurityContextResult {
+	value := jq.From("securityContext.seccompProfile.type").Get()
 
-	if capDrop != nil && strings.Contains(capDropString, "seccomp.security.alpha.kubernetes.io/pod:") {
-		if !strings.Contains(capDropString, "seccomp.security.alpha.kubernetes.io/pod:unconfined") {
-			containers++
-		}
-	} else if capDrop != nil {
+	v, ok := value.(string)
 
-		keyNameRegex := "seccomp\\.security\\.alpha\\.kubernetes\\.io/[a-zA-Z-.]+"
-		// TODO(ajm) match end of string in regex
-		isNamedPodMatch, _ := regexp.MatchString(startWordBoundaryRegex+keyNameRegex+":", capDropString)
+	res := checkSecurityContextResult{}
+	if !ok {
+		res.unset = true
+		return res
+	}
 
-		if isNamedPodMatch {
-			isUnconfinedNamedPodMatch, _ := regexp.MatchString(startWordBoundaryRegex+keyNameRegex+":unconfined"+endWordBoundaryRegex, capDropString)
-			if !isUnconfinedNamedPodMatch {
-				containers++
-			}
-		}
+	return checkSecurityContextResult{
+		valid: (v == "Unconfined") == expectedUnconfined,
 	}
+}
 
-	return containers
+// SeccompAny retrieves the number of instances in a manifest where the Seccomp profile has been specified
+// to a value other than 'Unconfined'
+func SeccompAny(json []byte) int {
+	return checkSecurityContext(
+		json,
+		true, // present in PodSecurityContext
+		func(jq *gojsonq.JSONQ) checkSecurityContextResult {
+			return isSeccompUnconfined(jq, false)
+		})
 }