Added another validation

FairwindsOps · Nov 12, 2024 · 091e65d · 091e65d
1 parent 84b9135
commit 091e65d
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 5 deletions.
diff --git a/pkg/config/checks.go b/pkg/config/checks.go
@@ -30,6 +30,7 @@ var (
 		// Pod checks
 		"hostIPCSet",
 		"hostPathSet",
+		"hostProcess",
 		"hostPIDSet",
 		"hostNetworkSet",
 		"automountServiceAccountToken",
@@ -93,8 +94,5 @@ func init() {
 			panic(err)
 		}
 		BuiltInChecks[checkID] = check
-		if check.ID == "procMount" {
-			fmt.Println("check===", check)
-		}
 	}
 }
diff --git a/pkg/config/checks/hostProcess.yaml b/pkg/config/checks/hostProcess.yaml
@@ -0,0 +1,31 @@
+successMessage: Privileged access to the host check is valid
+failureMessage: Privileged access to the host is disallowed in the Baseline policy
+category: Security
+target: PodSpec
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    containers:
+      type: array
+      items:
+        type: object
+        properties:
+          securityContext:
+            type: object
+            properties:
+              windowsOptions:
+                type: object
+                properties:
+                  hostProcess:
+                    type: boolean
+                    const: false
+    securityContext:
+      type: object
+      properties:
+        windowsOptions:
+          type: object
+          properties:
+            hostProcess:
+              type: boolean
+              const: false                
diff --git a/pkg/config/default.yaml b/pkg/config/default.yaml
@@ -24,6 +24,7 @@ checks:
   automountServiceAccountToken: warning
   hostIPCSet: danger
   hostPathSet: warning
+  hostProcess: warning
   hostPIDSet: danger
   linuxHardening: warning
   missingNetworkPolicy: warning

diff --git a/pkg/config/examples/config-full.yaml b/pkg/config/examples/config-full.yaml
@@ -24,6 +24,7 @@ checks:
   automountServiceAccountToken: warning
   hostIPCSet: danger
   hostPathSet: warning
+  hostProcess: warning
   hostPIDSet: danger
   linuxHardening: danger
   missingNetworkPolicy: warning

diff --git a/pkg/validator/pod_test.go b/pkg/validator/pod_test.go
@@ -35,14 +35,15 @@ func TestValidatePod(t *testing.T) {
 			"hostPortSet":    conf.SeverityDanger,
 			"hostPathSet":    conf.SeverityWarning,
 			"procMount":      conf.SeverityWarning,
+			"hostProcess":    conf.SeverityWarning,
 		},
 	}
 
 	p := test.MockPod()
 	deployment, err := kube.NewGenericResourceFromPod(p, nil)
 	assert.NoError(t, err)
 	expectedSum := CountSummary{
-		Successes: uint(6),
+		Successes: uint(7),
 		Warnings:  uint(0),
 		Dangers:   uint(0),
 	}
@@ -53,6 +54,7 @@ func TestValidatePod(t *testing.T) {
 		"hostPIDSet":     {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"},
 		"hostPathSet":    {ID: "hostPathSet", Message: "HostPath volumes are not configured", Success: true, Severity: "warning", Category: "Security"},
 		"procMount":      {ID: "procMount", Message: "The default /proc masks are set up to reduce attack surface, and should be required", Success: true, Severity: "warning", Category: "Security"},
+		"hostProcess":    {ID: "hostProcess", Message: "Privileged access to the host check is valid", Success: true, Severity: "warning", Category: "Security"},
 	}
 
 	actualPodResult, err := applyControllerSchemaChecks(&c, nil, deployment)
@@ -74,6 +76,7 @@ func TestInvalidIPCPod(t *testing.T) {
 			"hostPortSet":    conf.SeverityDanger,
 			"hostPathSet":    conf.SeverityWarning,
 			"procMount":      conf.SeverityWarning,
+			"hostProcess":    conf.SeverityWarning,
 		},
 	}
 
@@ -91,12 +94,16 @@ func TestInvalidIPCPod(t *testing.T) {
 	p.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
 		ProcMount: &procMount,
 	}
+	hostProcess := true
+	p.Spec.Containers[0].SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{
+		HostProcess: &hostProcess,
+	}
 
 	workload, err := kube.NewGenericResourceFromPod(p, nil)
 	assert.NoError(t, err)
 	expectedSum := CountSummary{
 		Successes: uint(3),
-		Warnings:  uint(2),
+		Warnings:  uint(3),
 		Dangers:   uint(1),
 	}
 	expectedResults := ResultSet{
@@ -105,6 +112,7 @@ func TestInvalidIPCPod(t *testing.T) {
 		"hostPIDSet":     {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"},
 		"hostPathSet":    {ID: "hostPathSet", Message: "HostPath volumes must be forbidden", Success: false, Severity: "warning", Category: "Security"},
 		"procMount":      {ID: "procMount", Message: "Proc mount must not be changed from the default", Success: false, Severity: "warning", Category: "Security"},
+		"hostProcess":    {ID: "hostProcess", Message: "Privileged access to the host is disallowed in the Baseline policy", Success: false, Severity: "warning", Category: "Security"},
 	}
 
 	actualPodResult, err := applyControllerSchemaChecks(&c, nil, workload)