Merge pull request #701 from esticansat/fix-685-update-apparmor-detection-rules

Fix 685 update apparmor detection rules

Author: 06kellyjac

pkg/ruler/ruleset.go

@@ -250,13 +250,23 @@ func NewRuleset(logger *zap.SugaredLogger) *Ruleset {
 	apparmorAnyRule := Rule{
 		Predicate: rules.ApparmorAny,
 		ID:        "ApparmorAny",
-		Selector:  ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
-		Reason:    "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
+		Selector:  ".spec .securityContext .appArmorProfile .type | .spec .containers[] .securityContext .appArmorProfile .type | .spec .initContainers[] .securityContext .appArmorProfile .type | .spec .ephemeralContainers[] .securityContext .appArmorProfile .type",
+		Reason:    "Well defined AppArmor policies may provide greater protection from unknown threats.",
 		Kinds:     []string{"Pod", "Deployment", "StatefulSet", "DaemonSet"},
 		Points:    3,
 	}
 	list = append(list, apparmorAnyRule)
 
+	apparmorUnconfinedRule := Rule{
+		Predicate: rules.ApparmorUnconfined,
+		ID:        "ApparmorUnconfined",
+		Selector:  ".spec .securityContext .appArmorProfile .type | .spec .containers[] .securityContext .appArmorProfile .type | .spec .initContainers[] .securityContext .appArmorProfile .type | .spec .ephemeralContainers[] .securityContext .appArmorProfile .type",
+		Reason:    "Unconfined AppArmor profiles disable AppArmor enforcement on the workloads",
+		Kinds:     []string{"Pod", "Deployment", "StatefulSet", "DaemonSet"},
+		Points:    -1,
+	}
+	list = append(list, apparmorUnconfinedRule)
+
 	volumeClaimAccessModeReadWriteOnce := Rule{
 		Predicate: rules.VolumeClaimAccessModeReadWriteOnce,
 		ID:        "VolumeClaimAccessModeReadWriteOnce",

pkg/rules/apparmorAny.go

@@ -1,42 +1,33 @@
 package rules
 
-import (
-	"bytes"
-	"fmt"
-	"github.com/thedevsaddam/gojsonq/v2"
-	"regexp"
-	"strings"
-)
+import "github.com/thedevsaddam/gojsonq/v2"
 
-// TODO(ajm): tighten these matches, they could be "[apparmor..." or " apparmor...", and "unconfined]" or "unconfined "
-// TODO(ajm): space delimiting matches is insufficient as this could be set to `unconfined blah`
-func ApparmorAny(json []byte) int {
-	containers := 0
-	startWordBoundaryRegex := "[\\[ ]"
-	endWordBoundaryRegex := "[\\] ]"
-
-	annotations := gojsonq.New().Reader(bytes.NewReader(json)).
-		From("metadata.annotations").Get()
+// isApparmorUnconfined checks the appArmorProfile.type field and returns a checkSecurityContextResult struct.
+// If the field is set then unset=false. If, on top of that, the value of Unconfined matches the expected value
+// then return valid=true.
+func isApparmorUnconfined(jq *gojsonq.JSONQ, expectedUnconfined bool) checkSecurityContextResult {
+	value := jq.From("securityContext.appArmorProfile.type").Get()
 
-	annotationsString := fmt.Sprintf("%v", annotations)
+	v, ok := value.(string)
 
-	if annotations != nil && strings.Contains(annotationsString, "container.apparmor.security.beta.kubernetes.io/pod:") {
-		if !strings.Contains(annotationsString, "container.apparmor.security.beta.kubernetes.io/pod:unconfined") {
-			containers++
-		}
-	} else if annotations != nil {
+	res := checkSecurityContextResult{}
 
-		keyNameRegex := "container\\.apparmor\\.security\\.beta\\.kubernetes\\.io/[a-zA-Z-.]+"
-		// TODO(ajm) match end of string in regex
-		isNamedPodMatch, _ := regexp.MatchString(startWordBoundaryRegex+keyNameRegex+":", annotationsString)
+	if !ok {
+		res.unset = true
+		return res
+	}
 
-		if isNamedPodMatch {
-			isUnconfinedNamedPodMatch, _ := regexp.MatchString(startWordBoundaryRegex+keyNameRegex+":unconfined"+endWordBoundaryRegex, annotationsString)
-			if !isUnconfinedNamedPodMatch {
-				containers++
-			}
-		}
+	return checkSecurityContextResult{
+		valid: (v == "Unconfined") == expectedUnconfined,
 	}
+}
 
-	return containers
+func ApparmorAny(json []byte) int {
+	return checkSecurityContext(
+		json,
+		true, // present in Pod Security Context
+		func(jq *gojsonq.JSONQ) checkSecurityContextResult {
+			return isApparmorUnconfined(jq, false)
+		},
+	)
 }