Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(gke): Remove pod-security-policy-config check #43

Merged
merged 1 commit into from
Nov 8, 2023
Merged

fix(gke): Remove pod-security-policy-config check #43

merged 1 commit into from
Nov 8, 2023

Conversation

JohnTitor
Copy link
Contributor

@JohnTitor JohnTitor commented Nov 6, 2023
edited by nikpivkin
Loading

@CLAassistant
Copy link

CLAassistant commented Nov 6, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@simar7 simar7 requested a review from nikpivkin November 7, 2023 07:52
simar7
simar7 approved these changes Nov 7, 2023
View reviewed changes
Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikpivkin could you take a look as well?

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 7, 2023
edited
Loading

@simar7 I think we should first remove the PodSecurityPolicy field from defsec and the rule from trivy-policies to update the schema and documentation found in this repository.

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 7, 2023
edited
Loading

I opened PR aquasecurity/defsec#1492.

@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

@simar7
Copy link
Member

simar7 commented Nov 8, 2023

I opened PR aquasecurity/defsec#1492.

@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

@chen-keinan what do you think? Should we deprecate PSP altogether as mentioned above?

@chen-keinan
Copy link
Contributor

I opened PR aquasecurity/defsec#1492.
@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

@chen-keinan what do you think? Should we deprecate PSP altogether as mentioned above?

its true psp is check with k8s however I assume if you use terraform scanner only it will not

@nikpivkin
Copy link
Collaborator

@chen-keinan trivy-iac also scans k8s

@chen-keinan
Copy link
Contributor

@chen-keinan trivy-iac also scans k8s

isn't the rules above are made for terraform files ?

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 8, 2023
edited
Loading

@chen-keinan This policy is used when scanning k8s and helm.

@chen-keinan
Copy link
Contributor

@chen-keinan This policy is used when scanning k8s and helm.

@nikpivkin so maybe I'm misunderstanding which policies you suggested to removed ?

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 8, 2023
edited
Loading

@chen-keinan PodSecurityPolicy was removed from Kubernetes in v1.25, but it is used in k8s policy. That's why I suggested creating a issue for it, but not removing the rule.

@chen-keinan
Copy link
Contributor

@chen-keinan PodSecurityPolicy was removed from Kubernetes in v1.25, but it is used in k8s policy. That's why I suggested creating a issue for it, but not removing the rule.

I see , thanks for clarifications

@simar7
Copy link
Member

simar7 commented Nov 8, 2023

I opened PR aquasecurity/defsec#1492.

@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

As for the separate issue, we should do that for those policies as they don't seem to use these fields (but a separate k8s rego library).

@simar7
Copy link
Member

simar7 commented Nov 8, 2023

@chen-keinan PodSecurityPolicy was removed from Kubernetes in v1.25, but it is used in k8s policy. That's why I suggested creating a issue for it, but not removing the rule.

I see , thanks for clarifications

I've created aquasecurity/trivy#5541 to track it.

@simar7 simar7 merged commit 9030770 into aquasecurity:main Nov 8, 2023
4 checks passed
@JohnTitor JohnTitor deleted the rm-pod-sec-policy branch November 9, 2023 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

@nikpivkin nikpivkin Awaiting requested review from nikpivkin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JohnTitor @CLAassistant @nikpivkin @simar7 @chen-keinan