kubeaudit helps you audit your Kubernetes clusters against common security controls

Overview

Build Status Go Report Card GoDoc

Kubeaudit can now be used as both a command line tool (CLI) and as a Go package!

kubeaudit โ˜๏ธ ๐Ÿ”’ ๐Ÿ’ช

kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:

  • run as non-root
  • use a read-only root filesystem
  • drop scary capabilities, don't add new ones
  • don't run privileged
  • and more!

tldr. kubeaudit makes sure you deploy secure containers!

Package

To use kubeaudit as a Go package, see the package docs.

The rest of this README will focus on how to use kubeaudit as a command line tool.

Command Line Interface (CLI)

Installation

Brew

brew install kubeaudit

Download a binary

Kubeaudit has official releases that are blessed and stable: Official releases

DIY build

Master may have newer features than the stable releases. If you need a newer feature not yet included in a release, make sure you're using Go 1.16+ and run the following:

go get -v github.com/Shopify/kubeaudit

Start using kubeaudit with the Quick Start or view all the supported commands.

Kubectl Plugin

Prerequisite: kubectl v1.12.0 or later

With kubectl v1.12.0 introducing easy pluggability of external functions, kubeaudit can be invoked as kubectl audit by

  • running make plugin and having $GOPATH/bin available in your path.

or

  • renaming the binary to kubectl-audit and having it available in your path.

Docker

We also release a Docker image: shopify/kubeaudit. To run kubeaudit as a job in your cluster see Running kubeaudit in a cluster.

Quick Start

kubeaudit has three modes:

  1. Manifest mode
  2. Local mode
  3. Cluster mode

Manifest Mode

If a Kubernetes manifest file is provided using the -f/--manifest flag, kubeaudit will audit the manifest file.

Example command:

kubeaudit all -f "/path/to/manifest.yml"

Example output:

$ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml"

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: deployment
    namespace: deployment-apps-v1

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added.
   Metadata:
      Container: container
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.

-- [error] CapabilityShouldDropAll
   Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
   Metadata:
      Container: container
      Capability: AUDIT_WRITE
...

If no errors with a given minimum severity are found, the following is returned:

All checks completed. 0 high-risk vulnerabilities found

Autofix

Manifest mode also supports autofixing all security issues using the autofix command:

kubeaudit autofix -f "/path/to/manifest.yml"

To write the fixed manifest to a new file instead of modifying the source file, use the -o/--output flag.

kubeaudit autofix -f "/path/to/manifest.yml" -o "/path/to/fixed"

To fix a manifest based on custom rules specified on a kubeaudit config file, use the -k/--kconfig flag.

kubeaudit autofix -k "/path/to/kubeaudit-config.yml" -f "/path/to/manifest.yml" -o "/path/to/fixed"

Cluster Mode

Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:

kubeaudit all

Local Mode

Kubeaudit will try to connect to a cluster using the local kubeconfig file ($HOME/.kube/config). A different kubeconfig location can be specified using the -c/--kubeconfig flag.

kubeaudit all -c "/path/to/config"

For more information on kubernetes config files, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

Audit Results

Kubeaudit produces results with three levels of severity:

Error: A security issue or invalid kubernetes configuration Warning: A best practice recommendation Info: Informational, no action required. This includes results that are overridden

The minimum severity level can be set using the --minSeverity/-m flag.

By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the --format json flag. To output results as logs (the previous default) use --format logrus.

If there are results of severity level error, kubeaudit will exit with exit code 2. This can be changed using the --exitcode/-e flag.

For all the ways kubeaudit can be customized, see Global Flags.

Commands

Command Description Documentation
all Runs all available auditors, or those specified using a kubeaudit config. docs
autofix Automatically fixes security issues. docs
version Prints the current kubeaudit version.

Auditors

Auditors can also be run individually.

Command Description Documentation
apparmor Finds containers running without AppArmor. docs
asat Finds pods using an automatically mounted default service account docs
capabilities Finds containers that do not drop the recommended capabilities or add new ones. docs
hostns Finds containers that have HostPID, HostIPC or HostNetwork enabled. docs
image Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. docs
limits Finds containers which exceed the specified CPU and memory limits or do not specify any. docs
mounts Finds containers that have sensitive host paths mounted. docs
netpols Finds namespaces that do not have a default-deny network policy. docs
nonroot Finds containers running as root. docs
privesc Finds containers that allow privilege escalation. docs
privileged Finds containers running as privileged. docs
rootfs Finds containers which do not have a read-only filesystem. docs
seccomp Finds containers running without Seccomp. docs

Global Flags

Short Long Description
--format The output format to use (one of "pretty", "logrus", "json") (default is "pretty")
-c --kubeconfig Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config)
-f --manifest Path to the yaml configuration to audit. Only used in manifest mode.
-n --namespace Only audit resources in the specified namespace. Not currently supported in manifest mode.
-m --minseverity Set the lowest severity level to report (one of "error", "warning", "info") (default "info")
-e --exitcode Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default 2)

Configuration File

The kubeaudit config can be used for two things:

  1. Enabling only some auditors
  2. Specifying configuration for auditors

Any configuration that can be specified using flags for the individual auditors can be represented using the config.

The config has the following format:

enabledAuditors:
  # Auditors are enabled by default if they are not explicitly set to "false"
  apparmor: false
  asat: false
  capabilities: true
  hostns: true
  image: true
  limits: true
  mounts: true
  netpols: true
  nonroot: true
  privesc: true
  privileged: true
  rootfs: true
  seccomp: true
auditors:
  capabilities:
    # add capabilities needed to the add list, so kubeaudit won't report errors
    allowAddList: ['AUDIT_WRITE', 'CHOWN']
  image:
    # If no image is specified and the 'image' auditor is enabled, WARN results
    # will be generated for containers which use an image without a tag
    image: 'myimage:mytag'
  limits:
    # If no limits are specified and the 'limits' auditor is enabled, WARN results
    # will be generated for containers which have no cpu or memory limits specified
    cpu: '750m'
    memory: '500m'

For more details about each auditor, including a description of the auditor-specific configuration in the config, see the Auditor Docs.

Note: The kubeaudit config is not the same as the kubeconfig file specified with the -c/--kubeconfig flag, which refers to the Kubernetes config file (see Local Mode). Also note that only the all and autofix commands support using a kubeaudit config. It will not work with other commands.

Note: If flags are used in combination with the config file, flags will take precedence.

Override Errors

Security issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce info results instead of error results and the audit result name will have Allowed appended to it. The labels are documented in each auditor's documentation, but the general format for auditors that support overrides is as follows:

An override label consists of a key and a value.

The key is a combination of the override type (container or pod) and an override identifier which is unique to each auditor (see the docs for the specific auditor). The key can take one of two forms depending on the override type:

  1. Container overrides, which override the auditor for that specific container, are formatted as follows:
container.audit.kubernetes.io/[container name].[override identifier]
  1. Pod overrides, which override the auditor for all containers within the pod, are formatted as follows:
audit.kubernetes.io/pod.[override identifier]

If the value is set to a non-empty string, it will be displayed in the info result as the OverrideReason:

$ kubeaudit asat -f "auditors/asat/fixtures/service-account-token-true-allowed.yml"

---------------- Results for ---------------

  apiVersion: v1
  kind: ReplicationController
  metadata:
    name: replicationcontroller
    namespace: service-account-token-true-allowed

--------------------------------------------

-- [info] AutomountServiceAccountTokenTrueAndDefaultSAAllowed
   Message: Audit result overridden: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.
   Metadata:
      OverrideReason: SomeReason

As per Kubernetes spec, value must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between.

Multiple override labels (for multiple auditors) can be added to the same resource.

See the specific auditor docs for the auditor you wish to override for examples.

To learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Contributing

If you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our Code of Conduct.

  1. Create your own fork!
  2. Get the source: go get github.com/Shopify/kubeaudit
  3. Go to the source: cd $GOPATH/src/github.com/Shopify/kubeaudit
  4. Add your forked repo as a fork: git remote add fork https://github.com/you-are-awesome/kubeaudit
  5. Create your feature branch: git checkout -b awesome-new-feature
  6. Install Kind
  7. Run the tests to see everything is working as expected: make test (to run tests without Kind: USE_KIND=false make test)
  8. Commit your changes: git commit -am 'Adds awesome feature'
  9. Push to the branch: git push fork
  10. Sign the Contributor License Agreement
  11. Submit a PR (All PR must be labeled with ๐Ÿ› (Bug fix), โœจ (New feature), ๐Ÿ“– (Documentation update), or โš ๏ธ (Breaking changes) )
  12. ???
  13. Profit

Note that if you didn't sign the CLA before opening your PR, you can re-run the check by adding a comment to the PR that says "I've signed the CLA!"!

Issues
  • Add a new command to audit runAsUser fields

    Add a new command to audit runAsUser fields

    Description

    Add a new command to audit runAsUser fields. The audit will trigger an alert when the container user ID is not overridden with a non-root user using the runAsUser either in the Pod Security Context or the container Security Context. The check will fail if no runAsUser is specified or if it uses the 0 UID. This is useful to enforce non-root user in container at runtime.

    Here's a sample result:

    kubeaudit runasuser -f "auditors/runasuser/fixtures/run-as-user-0.yml" 
    
    ---------------- Results for ---------------
    
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: deployment
        namespace: run-as-user-0
    
    --------------------------------------------
    
    -- [error] RunAsUserCSCRoot
       Message: container user ID not overridden to non-root user using runAsUser SecurityContext. It should be set to > 0.
       Metadata:
          Container: container
    

    I've also modified the nonroot command's description from This command determines which containers are running as root (uid=0) to This command determines which containers are allowed to run as root (uid=0). because even when runAsNonRoot is set to true or is missing, this doesn't mean that the container will effectively run as root, only that it will be permitted to use the root user if it's the one specified in the image.

    Type of change
    • [x] New feature :sparkles:
    • [x] This change requires a documentation update ๐Ÿ“–
    How Has This Been Tested?
    • [x] Automated tests
    • [x] Manual tests (cluster - local mode, manifest files)
    Checklist:
    • [x] I have ๐ŸŽฉ my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [x] I have performed a self-review of my own code
    • [x] I have made corresponding changes to the documentation
    • [x] I have added tests that prove my fix is effective or that my feature works
    • [x] New and existing unit tests pass locally with my changes
    • [] The test coverage did not decrease
    • [x] I have signed the appropriate Contributor License Agreement
    core readme go-modules 
    opened by jcbbc 18
  • Quota cmd

    Quota cmd

    Hi,

    Setting CPU and memory limits is a good security practice. (see http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html) Why not test this with a kubeaudit command?

    What do you think of this notion and my implementation? Your feedbacks are very welcome.

    Regards, Jeremie.

    opened by jerr 15
  • Bugfixes: Allow any of the deployment types to be used, fix spurious errors on services

    Bugfixes: Allow any of the deployment types to be used, fix spurious errors on services

    This PR fixes two issues I encountered while trying out kubeaudit:

    1. When using another deployment type than the one specified in types.go, checks would silently fail.
    2. When running kubeaudit on a type not known to it (Such as, for example, running kubeaudit -f <service yaml>), you'd get an incorrect error that automountServiceAccountToken: false needed to be set.
    opened by luna-duclos 11
  • runAsNonRoot False Positive

    runAsNonRoot False Positive

    ISSUE TYPE
    • [x] Bug Report

    BUG REPORT

    SUMMARY

    Kubeaudit currently returns False positives for "runAsNonRoot". It shows that the Security Context does not have this set ('RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!'). Is this because it's looking for "RunAsNonRoot" whereas Security Context has "runAsNonRoot" set on it (Caps on 'r')?

    ENVIRONMENT
    • Kubeaudit version: 0.0.0
    • Kubeaudit install method: DIY-BUILD
    STEPS TO REPRODUCE

    General Run of kubeaudit

    EXPECTED RESULTS

    Not see 'RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!' flagged up as an error

    ACTUAL RESULTS
    'RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!' as the Error output
    
    ADDITIONAL INFORMATION

    Security Context:

            securityContext:
            fsGroup: 64999
            runAsGroup: 2000
            runAsNonRoot: true
            runAsUser: 2000
    

    Kubeaudit Report:

    {'Container': <Redacted>, 'KubeType': 'daemonSet', 'Name': <Redacted>, 'Namespace': <Redacted>, 'level': 'error', 'msg': 'RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!', 'time': '2020-04-20T14:30:15-07:00'}
    
    bug 
    opened by secmesh 10
  • Initial support for networkPolicy audit

    Initial support for networkPolicy audit

    Signed-off-by: Johannes M. Scheuermann [email protected]

    This PR implements: https://github.com/Shopify/kubeaudit/issues/117

    ToDo

    • [x] Implement check for default-deny
    • [x] Add unit test for NetworkPolicy audit
    opened by johscheuer 9
  • Kubeaudit throws errors instead of warning for unsupported types

    Kubeaudit throws errors instead of warning for unsupported types

    ISSUE TYPE
    • [x] Bug Report
    • [ ] Feature Idea

    BUG REPORT

    SUMMARY

    Kubeaudit returns an error instead of a warnig for k8s Jobs because they're unsupported.

    ENVIRONMENT
    • Kubeaudit version: latest
    • Kubeaudit install method: DIY-BUILD/Github app
    STEPS TO REPRODUCE

    Run kubeaudit all -f validJobTemplate.yml

    EXPECTED RESULTS

    Receive a warning that Jobs are not supported by kubeaudit

    ACTUAL RESULTS

    Kubeaudit threw an error that caused my CI to fail

    ADDITIONAL INFORMATION

    image

    bug 
    opened by alexhope61 8
  • Support dash as short for stdin

    Support dash as short for stdin

    Description

    Simple addition to support a dash as alias for /dev/stdin.

    I would expect a cli tool to accept a simple - in order to read from the stdin stream. For example currently I have to write:

    kustomize build . | kubeaudit all -f /dev/stdin.

    This pr makes it more straightforward: kustomize build . | kubeaudit all -f -

    Type of change
    • [ ] Bug fix :bug:
    • [x] New feature :sparkles:
    • [ ] This change requires a documentation update :book:
    • [ ] Breaking changes :warning:
    How Has This Been Tested?

    Just manually, did not find any preexisting place where cli args are tested, maybe you can point to that if a test is needed.

    • [ ] Test A
    • [ ] Test B
    Checklist:
    • [x] I have :tophat: my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [x] I have performed a self-review of my own code
    • [ ] I have made corresponding changes to the documentation
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    • [ ] The test coverage did not decrease
    • [x] I have signed the appropriate Contributor License Agreement
    core readme 
    opened by raffis 7
  • ๐Ÿ›  Fix deadlink in seccomp auditor docs

    ๐Ÿ› Fix deadlink in seccomp auditor docs

    Description

    Replace dead link to gardener.cloud seccomp tutorial with official kubernetes seccomp tutorial.

    Type of change
    • [x] Bug fix :bug:
    • [ ] New feature :sparkles:
    • [ ] This change requires a documentation update :book:
    • [ ] Breaking changes :warning:
    opened by bvwells 7
  • support for CRD's that extend common types

    support for CRD's that extend common types

    ISSUE TYPE
    • [ ] Bug Report
    • [X] Feature Idea
    SUMMARY

    I've noticed that Kubeaudit doesn't catch CRDS that are extending typical k8s resources, like apps/v1. It looks like either with finagling the data out with kubectl and scanning you can still get to the original source of truth.

    STEPS TO REPRODUCE

    create a custom CRD based off apps scan k8s don't find anything wrong with deploy applications

    EXPECTED RESULTS

    It should find them

    other stuff

    if you guys want to point me in the direction of where in the code one can specify a custom CRD, that'll work for me and I'll add a flag to support it.

    opened by nobletrout 7
  • Running Kubeaudit as a Cronjob and Kubeaudit's Contianer image

    Running Kubeaudit as a Cronjob and Kubeaudit's Contianer image

    ISSUE TYPE
    • [x] Bug Report

    BUG REPORT

    SUMMARY

    I don't seem to find a kubernetes manifest file over here. I would like to run Kubeaudit as a Cronjob for example. Is this documented somewhere?

    feature 
    opened by secmesh 7
  • Print INFO message for matching image:tag

    Print INFO message for matching image:tag

    As per the documentation string:

    An INFO log is given when a container has a matching image:tag
    An ERROR log is generated when a container does not match the image:tag
    

    This is not what is happening. Currently, it only prints the ERROR log. This pull request updates the kubectl image command to also print an INFO log when the image:tag matches.

    opened by marc-barry 7
  • Support AppArmor profile unconfined

    Support AppArmor profile unconfined

    ISSUE TYPE
    • [ ] Bug Report
    • [X] Feature Idea

    FEATURE IDEA

    Proposal: At current kubeaudit does not support annotations of the form: container.apparmor.security.beta.kubernetes.io/<container>: unconfined. It errors with: Message: AppArmor is disabled. This can't be overriden because kubeaudit doesn't support apparmor override errors.

    But the unconfined profile is supported by k8s and may be used for containers that need access to /proc but can't use localhost profiles.

    kubeaudit should either support the unconfined profile or allow overrides for apparmor. I think the same applies for seccomp.

    opened by JWT95 2
  • add support for sarif

    add support for sarif

    This idea was proposed by @thepwagner:

    We could extend Kubeaudit to output results in Static Analysis Results Interchange Format (SARIF) format. This would allow integrating with GitHub via GitHub Code Scanning:

    This means OSS users can use Kubeaudit on GitHub Actions - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-that-runs-the-eslint-analysis-tool

    ISSUE TYPE
    • [ ] Bug Report
    • [x] Feature Idea

    FEATURE IDEA

    • [ ] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1

    Proposal:

    1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.

    opened by dani-santos-code 0
  • โœจ Adds

    โœจ Adds "deprecated apis" auditor

    Description

    Fixes #408

    Adds a new command deprecatedapis to find deprecated APIs of resources. It reports for all resources defined with a deprecated API the version since when it is deprecated the deprecated version, the version where is removed and suggests the recommended API.

    Here's a sample result:

    $ kubeaudit deprecatedapis -f "auditors/deprecatedapis/fixtures/cronjob.yml"
    
    ---------------- Results for ---------------
      apiVersion: batch/v1beta1
      kind: CronJob
      metadata:
        name: hello
    --------------------------------------------
    -- [warning] DeprecatedAPIUsed
       Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
       Metadata:
          DeprecatedMajor: 1
          DeprecatedMinor: 21
          RemovedMajor: 1
          RemovedMinor: 25
          ReplacementKind: CronJob
          ReplacementGroup: batch/v1
    

    This PR also brings the possibility to audit any type of resource using the dynamic client.

    Type of change
    • [x] New feature :sparkles:
    • [x] This change requires a documentation update :book:
    How Has This Been Tested?
    • [x] Automated tests
    • [x] Manual tests (local mode and manifest files)
    Checklist:
    • [x] I have :tophat: my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [x] I have performed a self-review of my own code
    • [x] I have made corresponding changes to the documentation
    • [x] I have added tests that prove my fix is effective or that my feature works
    • [x] New and existing unit tests pass locally with my changes
    • [x] The test coverage did not decrease
    • [x] I have signed the appropriate Contributor License Agreement
    core readme 
    opened by jerr 2
  • โœจ Add the --context option

    โœจ Add the --context option

    Description

    As for kubectl command line tool, the option -c/--context is added to specify a context. The -c flag is therefore no longer used to specify. the kubeconfig path.

    Type of change
    • [x] New feature :sparkles:
    • [x] This change requires a documentation update :book:
    • [x] Breaking changes :warning:
    How Has This Been Tested?
    • [x] Added unit test in kubeaudit_test.go to test invalid context name
    • [x] Instead of specify a context with the kubectl cluster-info --context <CONTEXT> command I ran a kubeaudit limits with the --context <CLUSTER> flag.
    • [x] The help information is updated.
      $ ./kubeaudit --help                                        
      Kubeaudit audits Kubernetes clusters for common security controls.
      
      ...
      
      Flags:
        -c, --context string       The name of the kubeconfig context to use
        -e, --exitcode int         Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default 2)
        -p, --format string        The output format to use (one of "pretty", "logrus", "json") (default "pretty")
        -h, --help                 help for kubeaudit
        -g, --includegenerated     Include generated resources in scan  (eg. pods generated by deployments).
            --kubeconfig string    Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config)
        -f, --manifest string      Path to the yaml configuration to audit. Only used in manifest mode.
        -m, --minseverity string   Set the lowest severity level to report (one of "error", "warning", "info") (default "info")
        -n, --namespace string     Only audit resources in the specified namespace. Not currently supported in manifest mode.
      
    Checklist:
    • [ ] I have :tophat: my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [ ] I have performed a self-review of my own code
    • [ ] I have made corresponding changes to the documentation
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    • [ ] The test coverage did not decrease
    • [ ] I have signed the appropriate Contributor License Agreement
    core readme 
    opened by jerr 2
  • Deprecated API auditor

    Deprecated API auditor

    ISSUE TYPE
    • [ ] Bug Report
    • [x] Feature Idea
    SUMMARY

    The idea is to create a new auditor that'll check for deprecated api versions of resources. Suggested by @jerr

    opened by dani-santos-code 0
  • kubeaudit does not understand PodSecurityContext.seccompProfile

    kubeaudit does not understand PodSecurityContext.seccompProfile

    ISSUE TYPE
    • [ ] Bug Report

    BUG REPORT

    SUMMARY

    In k8s 1.20 was introduced GA syntax for setting seccompProfile:

        spec:
          securityContext:
            seccompProfile:
              type: RuntimeDefault
    

    When running kubeaudit on pods with this setting, it complains about SeccompAnnotationMissing

    ENVIRONMENT
    • Kubeaudit version: v0.14.1
    • Kubeaudit install method: docker image using "With RBAC" manifest
    STEPS TO REPRODUCE

    Deploy the kubernetes-dashboard according with https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml, but the daemonset spec modified as follows:

    spec:
      progressDeadlineSeconds: 600
      replicas: 1
      revisionHistoryLimit: 10
      selector:
        matchLabels:
          k8s-app: kubernetes-dashboard
      strategy:
        rollingUpdate:
          maxSurge: 25%
          maxUnavailable: 25%
        type: RollingUpdate
      template:
        metadata:
          creationTimestamp: null
          labels:
            k8s-app: kubernetes-dashboard
        spec:
          containers:
          - args:
            - --auto-generate-certificates
            - --dashboard-endpoint=https://127.0.0.1:8443
            image: docker.io/kublr/k8s-dashboard-auth-proxy:v1.0
            imagePullPolicy: Always
            livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /
                port: 9443
                scheme: HTTPS
              initialDelaySeconds: 30
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 30
            name: kubernetes-dashboard-auth-proxy
            ports:
            - containerPort: 9443
              protocol: TCP
            resources:
              limits:
                cpu: 50m
                memory: 100Mi
              requests:
                cpu: 5m
                memory: 100Mi
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              privileged: false
              readOnlyRootFilesystem: true
              runAsGroup: 2001
              runAsUser: 1001
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
            volumeMounts:
            - mountPath: /certs
              name: kubernetes-dashboard-certs
            - mountPath: /tmp
              name: tmp-volume
          - args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            - --enable-skip-login=true
            image: docker.io/kubernetesui/dashboard:v2.0.4
            imagePullPolicy: Always
            name: kubernetes-dashboard
            ports:
            - containerPort: 8443
              protocol: TCP
            resources:
              limits:
                cpu: 100m
                memory: 512Mi
              requests:
                cpu: 10m
                memory: 50Mi
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              privileged: false
              readOnlyRootFilesystem: true
              runAsGroup: 2001
              runAsUser: 1001
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
            volumeMounts:
            - mountPath: /certs
              name: kubernetes-dashboard-certs
            - mountPath: /tmp
              name: tmp-volume
          dnsPolicy: ClusterFirst
          nodeSelector:
            kubernetes.io/os: linux
          restartPolicy: Always
          schedulerName: default-scheduler
          securityContext:
            seccompProfile:
              type: RuntimeDefault
          serviceAccount: kubernetes-dashboard
          serviceAccountName: kubernetes-dashboard
          terminationGracePeriodSeconds: 30
          tolerations:
          - key: CriticalAddonsOnly
            operator: Exists
          - effect: NoSchedule
            key: node-role.kubernetes.io/master
          volumes:
          - name: kubernetes-dashboard-certs
            secret:
              defaultMode: 420
              secretName: kubernetes-dashboard-certs
          - emptyDir: {}
            name: tmp-volume
    

    Run kubeaudit by applying the following manifest:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: kubeaudit
      namespace: default
    
    ---
    
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: kubeaudit
    rules:
      - apiGroups: [""]
        resources:
          - pods
          - podtemplates
          - replicationcontrollers
          - namespaces
          - serviceaccounts
        verbs: ["list"]
      - apiGroups: ["apps"]
        resources:
          - daemonsets
          - statefulsets
          - deployments
        verbs: ["list"]
      - apiGroups: ["batch"]
        resources:
          - cronjobs
        verbs: ["list"]
      - apiGroups: ["networking.k8s.io"]
        resources:
          - networkpolicies
        verbs: ["list"]
    
    ---
    
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: kubeaudit
    subjects:
      - kind: ServiceAccount
        name: kubeaudit
        namespace: default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: kubeaudit
    
    ---
    
    apiVersion: batch/v1
    kind: Job
    metadata:
      name: kubeaudit
      namespace: default
    spec:
      template:
        metadata:
          annotations:
            container.apparmor.security.beta.kubernetes.io/kubeaudit: runtime/default
            seccomp.security.alpha.kubernetes.io/pod: runtime/default
        spec:
          serviceAccountName: kubeaudit
          restartPolicy: OnFailure
          containers:
            - name: kubeaudit
              image: shopify/kubeaudit:v0.14.1
              args: ["all", "--exitcode", "0"]
              securityContext:
                allowPrivilegeEscalation: false
                capabilities:
                  drop: ["all"]
                privileged: false
                readOnlyRootFilesystem: true
                runAsNonRoot: true
    
    EXPECTED RESULTS

    Kubeaudit complains about AppArmorAnnotationMissing but not about SeccompAnnotationMissing.

    ACTUAL RESULTS
    ---------------- Results for ---------------
    
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: kubernetes-dashboard
        namespace: kubernetes-dashboard
    
    --------------------------------------------
    
    -- [error] AppArmorAnnotationMissing
       Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard-auth-proxy' should be added.
       Metadata:
          Container: kubernetes-dashboard-auth-proxy
          MissingAnnotation: container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard-auth-proxy
    
    -- [error] AppArmorAnnotationMissing
       Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard' should be added.
       Metadata:
          Container: kubernetes-dashboard
          MissingAnnotation: container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard
    
    -- [error] SeccompAnnotationMissing
       Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
       Metadata:
          MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod
    
    ADDITIONAL INFORMATION
    help wanted 
    opened by dmitry-irtegov 2
Releases(v0.18.0)
Owner
Shopify
Shopify
CLI to run your dataframes against SLU service and generated labeled dataframe.

trail CLI to run your dataframes against different services (currently, SLU service). Setup Get the latest binaries from the releases here. Choose the

Skit 3 Nov 12, 2021
A command line tool that builds and (re)starts your web application everytime you save a Go or template fileA command line tool that builds and (re)starts your web application everytime you save a Go or template file

# Fresh Fresh is a command line tool that builds and (re)starts your web application everytime you save a Go or template file. If the web framework yo

null 0 Nov 22, 2021
Issue-mafia - An out-of-the-box CLI that helps you to easily synchronize Git hooks with a remote repository

issue-mafia is an out-of-the-box CLI that helps you to easily synchronize Git hooks with a remote repository.

Thiago 0 Feb 14, 2022
Are you programming and suddenly your stomach is rumbling? No problem, order your Ifood without leaving your favorite text editor โค๏ธ

vim-ifood Vocรช ta programando e de repente bateu aquela fome? Sem problemas, peรงa seu Ifood sem sair do seu editor de texto favorito โค๏ธ Are you progra

Felipe Volpone 4 Jun 2, 2022
Commando - run commands against networking devices in batch mode

Commando is a tiny tool that enables users to collect command outputs from a single or a multiple networking devices defined in an inventory file.

Roman Dodin 38 May 2, 2022
ntest is a cross-platform cli app that runs multiple tests against any address.

ntest ntest is a cross-platform cli app that runs multiple tests against any address. About ntest Having the ability to run common tests against any d

Bruno Schaatsbergen 13 Jan 3, 2022
This plugin will analyse the JFrog Platform instance and provide the non conformance against the best practices based on the predefines rules.

hello-frog About this plugin This plugin is a template and a functioning example for a basic JFrog CLI plugin. This README shows the expected structur

null 0 Nov 30, 2021
This utility verifies all commands used by a shell script against an allow list

Find external commands required by shell scripts When writing shell scripts that need to run portably across multiple hosts and platforms, it's useful

Alec Thomas 10 May 14, 2022
The Keel CLI allows you to setup Keel on your local dev machine or on a Kubernetes cluster

keel-cli What is keel-cli The Keel CLI allows you to setup Keel on your local dev machine or on a Kubernetes cluster, launches and manages Keel instan

null 0 Oct 7, 2021
The Dapr CLI allows you to setup Dapr on your local dev machine or on a Kubernetes cluster

Dapr CLI The Dapr CLI allows you to setup Dapr on your local dev machine or on a

null 1 Dec 23, 2021
A Go library and a command-line tool to manage Docker Swarm clusters

go-swarm go-swarm is a Go library and command-line tool for managing the creation and maintenance of Docker Swarm cluster. Features: Creates new Swarm

AUCloud 3 Mar 23, 2022
eksctl is a simple CLI tool for creating clusters on EKS

eksctl is a simple CLI tool for creating clusters on EKS - Amazon's new managed Kubernetes service for EC2. It is written in Go, and uses CloudFormation.

Kaisen Linux 0 Jan 9, 2022
e2d is a command-line tool for deploying and managing etcd clusters, both in the cloud or on bare-metal

e2d is a command-line tool for deploying and managing etcd clusters, both in the cloud or on bare-metal. It also includes e2db, an ORM-like abstraction for working with etcd.

Chris Marshall 1 Jan 31, 2022
Allows you to use the magic remote on your webOS LG TV as a keyboard/mouse for your Linux machine

magic4linux Allows you to use the magic remote on your webOS LG TV as a keyboard/mouse for your PC Linux machine. This is a Linux implementation of th

Mathias Fredriksson 0 Feb 7, 2022
CraftTalk Command Line Tool helps with managing CraftTalk releases on baremetal instances

ctcli - CraftTalk Command Line Tool Commands help Shows help version Shows version init Initializes specified root directory as a ctcli dir. ctcli --r

CraftTalk 11 Jan 20, 2022
CLI for SendGrid, which helps in managing SSO users, can install and update users from yaml config

Sendgrid API This script is needed to add new users to SendGrid as SSO teammates. Previously, all users were manually added and manually migrating the

ANNA 4 Nov 12, 2021
Fast, realtime regex-extraction, and aggregation into common formats such as histograms, numerical summaries, tables, and more!

rare A file scanner/regex extractor and realtime summarizor. Supports various CLI-based graphing and metric formats (histogram, table, etc). Features

Chris LaPointe 155 Jun 30, 2022
Chore is a elegant and simple tool for executing common tasks on remote servers.

Chore is a tool for executing common tasks you run on your remote servers. You can easily setup tasks for deployment, commands, and more.

Ahmed waleed 39 May 20, 2022
CLI tool to convert many common document types to plane text.

Textify. CLI tool to convert many common document types to plane text. Goals. SO many different document types exist today. PDFs, EPUB books, Microsof

Quin 1 Nov 19, 2021