bug(k8s): KSV110 does not seem to be applied #5137
Comments
simar7
added
kind/bug
itaysk
added
target/kubernetes
|
+1. Also it does not trigger the KSV-0110? rule when there is no specific namespace mentioned. In these situations the default namespace is defaulted to and Trivy should detect this. E.g., apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app-container
image: nginx:latest
ports:
- containerPort: 80Then scan it with trivy in config mode. Issues:
HIGH: Container 'my-app-container' of Deployment 'my-app' should set 'securityContext.readOnlyRootFilesystem' to true
HIGH: deployment my-app in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024
MEDIUM: container "my-app-container" of deployment "my-app" in "default" namespace should specify a seccomp profile
MEDIUM: Container 'my-app-container' of Deployment 'my-app' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'my-app-container' of Deployment 'my-app' should set 'securityContext.runAsNonRoot' to true
MEDIUM: Container 'my-app-container' of Deployment 'my-app' should specify an image tag
LOW: Container 'my-app-container' of Deployment 'my-app' should add 'ALL' to 'securityContext.capabilities.drop'
LOW: Container 'my-app-container' of Deployment 'my-app' should set 'resources.limits.cpu'
LOW: Container 'my-app-container' of Deployment 'my-app' should set 'resources.limits.memory'
LOW: Container 'my-app-container' of Deployment 'my-app' should set 'resources.requests.cpu'
LOW: Container 'my-app-container' of Deployment 'my-app' should set 'resources.requests.memory'
LOW: Container 'my-app-container' of Deployment 'my-app' should set 'securityContext.runAsGroup' > 10000
LOW: Container 'my-app-container' of Deployment 'my-app' should set 'securityContext.runAsUser' > 10000
LOW: container should drop all
LOW: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'Note especially how Trivy does have two rules specific to issues in the use of a default namespace, but KSV-0110 is not thrown. |
Hmm I see - not sure tbh, I don't see why they shouldn't be in the bundle. @chen-keinan is there any reason why we shouldn't have them in the bundle? |
@simar7 IMHO it should be included |
|
Closed via aquasecurity/trivy-checks@792e6d4 |
|
@chen-keinan @simar7 what is the "advanced" category? what makes a check "advanced" and who decides that? |
|
Nothing special its just not part of pss and added later following to additional nsa checks |
|
so basically everything that is not PSS is advanced? |
Discussed in #5083
Originally posted by mochizuki875 September 1, 2023
Question
I'm using
trivy config <kubernetes-manifest.yaml>command to find out misconfiguration and some are found.However, which policy is based for scan?
I've read related section, and found policy repo.
There are some type of policy-set in policy repo and all of them don't seems to applied.
For example,
KSV110in advanced dose not work if I setmetadata.namespace: defaultin Kubernetes manifest.Target
Kubernetes
Scanner
Misconfiguration
Output Format
Table
Mode
Standalone
Operating System
Linux(5.15.0-78-generic) Ubuntu 22.04
Version
The text was updated successfully, but these errors were encountered: