Minor fixes for NSA checks (#952)

* fix rbac checks * fix sensitive env var check * add test case * fix service account check * fix comment --------- Co-authored-by: Andrew Suderman <andy@fairwinds.com>
FairwindsOps · Jun 9, 2023 · 8bfed75 · 8bfed75
1 parent 52a5aa8
commit 8bfed75
Show file tree

Hide file tree

Showing 9 changed files with 56 additions and 6 deletions.
diff --git a/checks/automountServiceAccountToken.yaml b/checks/automountServiceAccountToken.yaml
@@ -5,7 +5,6 @@ target: PodSpec
 schema:
   '$schema': http://json-schema.org/draft-07/schema
   type: object
-  required: ["serviceAccountName"]
   properties:
     serviceAccountName:
       type: string
@@ -15,12 +14,11 @@ schema:
         const: true
 additionalSchemaStrings:
   ServiceAccount: |
+    {{ if not (eq .Polaris.PodSpec.automountServiceAccountToken false) }}
     type: object
     required:
       - metadata
-      {{ if not (eq .Polaris.PodSpec.automountServiceAccountToken false) }}
       - automountServiceAccountToken
-      {{ end }}
     properties:
       metadata:
         type: object
@@ -34,3 +32,4 @@ additionalSchemaStrings:
         type: boolean
         const: false
       {{ end }}
+    {{ end }}
diff --git a/checks/clusterrolebindingClusterAdmin.yaml b/checks/clusterrolebindingClusterAdmin.yaml
@@ -39,6 +39,7 @@ additionalSchemaStrings:
   rbac.authorization.k8s.io/ClusterRole: |
     type: object
     # Do not alert on default ClusterRoleBindings.
+    {{ if (ne .roleRef.name "view") }}
     {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
     required: ["metadata", "rules"]
     allOf:
@@ -86,3 +87,4 @@ additionalSchemaStrings:
                             - "patch"
                             - "delete"
     {{ end }}
+    {{ end }}
diff --git a/checks/clusterrolebindingPodExecAttach.yaml b/checks/clusterrolebindingPodExecAttach.yaml
@@ -37,6 +37,7 @@ additionalSchemaStrings:
   rbac.authorization.k8s.io/ClusterRole: |
     type: object
     # Do not alert on default ClusterRoleBindings.
+    {{ if (ne .roleRef.name "view") }}
     {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
     required: ["metadata", "rules"]
     allOf:
@@ -80,3 +81,4 @@ additionalSchemaStrings:
                         - const: 'get'
                         - const: 'create'
     {{ end }}
+    {{ end }}
diff --git a/checks/sensitiveContainerEnvVar.yaml b/checks/sensitiveContainerEnvVar.yaml
@@ -10,7 +10,9 @@ schemaString: |
       type: array
       items:
         type: object
-        oneOf:
+        anyOf:
+          - not:
+              required: ["value"]
           - required: ["name", "value"]
             properties:
               name:

diff --git a/pkg/config/schema.go b/pkg/config/schema.go
@@ -236,11 +236,15 @@ func (check SchemaCheck) TemplateForResource(res interface{}) (*SchemaCheck, err
 		if err != nil {
 			return nil, err
 		}
+		templated := w.String()
+		if strings.TrimSpace(templated) == "" {
+			continue
+		}
 
 		if kind == "" {
-			newCheck.SchemaString = w.String()
+			newCheck.SchemaString = templated
 		} else {
-			newCheck.AdditionalSchemaStrings[kind] = w.String()
+			newCheck.AdditionalSchemaStrings[kind] = templated
 		}
 	}
 

diff --git a/test/checks/automountServiceAccountToken/success.no_serviceaccount.yaml b/test/checks/automountServiceAccountToken/success.no_serviceaccount.yaml
@@ -0,0 +1,12 @@
+# This succeeds because automounting is disabled on the pod, and there is no specified service account
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+spec:
+  automountServiceAccountToken: false
+  containers:
+  - name: nginx-foo
+    image: nginx-foo
+    ports:
+    - containerPort: 80
diff --git a/test/checks/insecureCapabilities/failure.add.yaml b/test/checks/insecureCapabilities/failure.add.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    env: test
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      capabilities:
+        add:
+          - ALL
diff --git a/test/checks/insecureCapabilities/mutated.add.yaml b/test/checks/insecureCapabilities/mutated.add.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    env: test
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
diff --git a/test/mutation_test.go b/test/mutation_test.go
@@ -27,6 +27,7 @@ checks:
   memoryLimitsMissing: warning
   readinessProbeMissing: warning
   livenessProbeMissing: warning
+  insecureCapabilities: warning
 `
 
 func TestMutations(t *testing.T) {