You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hi @slashben, there is a mismatch between the documentation and the rego functionality.
This is what the rego actually does:
Check whether runAsUser is set to a non-zero value or runAsNonRoot is set to true in PodSecurityContext. If both of them result in false, rego checks the same in every ContainerSecurityContext. Even if one container returns false for both checks, the control fails.
Checks if allowPrivilegeEscalation is set to false in PodSecurityContext. If it is not set or set to true, rego checks the same in every ContainerSecurityContext. Even if one container did not set "allowPrivilegeEscalation" or set it to true, the control fails.
Keeping that in mind, I've written CEL such that it directly checks if each container set the securityContext.allowPrivilegeEscalation to false. Even if one container did not set it, the control fails.
Hi @suhasgumma
Please note that the if and else statements are evaluated in order (https://www.openpolicyagent.org/docs/latest/policy-language/#else-keyword).
That means that first we check the container security context for the given fields, and only if they are not present there, we check the Pod security context. The reason for that being that the container security context takes precedence over the Pod security context (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core).
This behavior needs to be reflected on your check as well. For example, it is possible that runAsNonRoot will be set to true in the Pod security context, and runAsUser will be set to non-zero in the container security context, and so on.
Thank you @Daniel-GrunbergerCA . ContainerSecurityContext takes precedence. Only if the values are not set, we should check in PodSecurityContext. I will implement the control according to this logic and get back to you.
Check if allowPreviligeEscalation is set to false in ContainerSecurityContext. Only if it is not set, check for it in PodSecurityContext. The control fails if it is not set to false.
Check either runAsNonRoot is set to true or runAsUser is non-zero. Only if they are not set in ContainerSecurityContext, fetch their values from PodSecurityContext if they are set there.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Control C-0013
Related Resources: CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Control Docs: https://hub.armosec.io/docs/c-0013
Control Rego: https://github.com/kubescape/regolibrary/blob/master/rules/non-root-containers/raw.rego