Merge pull request #48 from reactiveops/rs/security-capabilities

Adding Security Validations
FairwindsOps · Apr 8, 2019 · 2e7e479 · 2e7e479
2 parents 5c69b99 + 7263ff7
commit 2e7e479
Show file tree

Hide file tree

Showing 9 changed files with 478 additions and 88 deletions.
diff --git a/config.yml → config-full.yaml b/config.yml → config-full.yaml
@@ -50,29 +50,17 @@ networking:
   hostPIDSet: error
   hostPortSet: error
 security:
-  runAsPriviliged: warning
+  runAsRootAllowed: warning
+  runAsPrivileged: error
   notReadOnlyRootFileSystem: warning
-  runAsNonRoot: warning
+  privilegeEscalationAllowed: error
   capabilities:
-    blacklist:
-      error:
-        - CHOWN
-        - SYS_CHROOT
-        - AUDIT_WRITE
-    whitelist:
-      warning:
-        - CHOWN
-        - DAC_OVERRIDE
-        - FSETID
-        - FOWNER
-        - MKNOD
-        - NET_RAW
-        - SETGID
-        - SETUID
-        - SETFCAP
-        - SETPCAP
-        - NET_BIND_SERVICE
-        - SYS_CHROOT
-        - KILL
-        - AUDIT_WRITE
-
+    error:
+      ifAnyAdded:
+        - CAP_SYS_ADMIN
+        - ALL
+      ifAnyNotDropped:
+        - ALL
+    warning:
+      ifAnyAddedBeyond:
+        - NONE
diff --git a/config.yaml b/config.yaml
@@ -0,0 +1,43 @@
+resources:
+  cpuRequestsMissing: error
+  cpuLimitsMissing: error
+  memoryRequestsMissing: error
+  memoryLimitsMissing: error
+images:
+  tagNotSpecified: error
+healthChecks:
+  readinessProbeMissing: warning
+  livenessProbeMissing: warning
+networking:
+  hostAliasSet: error
+  hostIPCSet: error
+  hostNetworkSet: error
+  hostPIDSet: error
+  hostPortSet: error
+security:
+  runAsRootAllowed: warning
+  runAsPrivileged: error
+  notReadOnlyRootFileSystem: warning
+  privilegeEscalationAllowed: error
+  capabilities:
+    error:
+      ifAnyAdded:
+        - SYS_ADMIN
+        - NET_ADMIN
+        - ALL
+    warning:
+      ifAnyAddedBeyond:
+        - CHOWN
+        - DAC_OVERRIDE
+        - FSETID
+        - FOWNER
+        - MKNOD
+        - NET_RAW
+        - SETGID
+        - SETUID
+        - SETFCAP
+        - SETPCAP
+        - NET_BIND_SERVICE
+        - SYS_CHROOT
+        - KILL
+        - AUDIT_WRITE
diff --git a/deploy/all.yaml b/deploy/all.yaml
@@ -74,49 +74,14 @@ metadata:
   labels:
     app: fairwinds
 data:
-  config.yml: |
+  config.yaml: |
     resources:
-      cpuRequestsMissing: warning
-      cpuRequestRanges:
-        warning:
-          below: 50m
-          above: 1000m
-        error:
-          below: 500m
-          above: 2000m
-      cpuLimitsMissing: warning
-      cpuLimitRanges:
-        warning:
-          below: 50m
-          above: 1000m
-        error:
-          below: 500m
-          above: 2000m
-      memoryRequestsMissing: warning
-      memoryRequestRanges:
-        warning:
-          below: 50M
-          above: 2G
-        error:
-          below: 100M
-          above: 4G
-      memoryLimitsMissing: warning
-      memoryLimitRanges:
-        warning:
-          below: 50M
-          above: 2G
-        error:
-          below: 100M
-          above: 4G
+      cpuRequestsMissing: error
+      cpuLimitsMissing: error
+      memoryRequestsMissing: error
+      memoryLimitsMissing: error
     images:
       tagNotSpecified: error
-      pullPolicyNotAlways: warning
-      whitelist:
-        error:
-          - gcr.io/*
-      blacklist:
-        warning:
-          - docker.io/*
     healthChecks:
       readinessProbeMissing: warning
       livenessProbeMissing: warning
@@ -127,17 +92,18 @@ data:
       hostPIDSet: error
       hostPortSet: error
     security:
-      runAsPriviliged: warning
+      runAsRootAllowed: warning
+      runAsPrivileged: error
       notReadOnlyRootFileSystem: warning
-      runAsNonRoot: warning
+      privilegeEscalationAllowed: error
       capabilities:
-        blacklist:
-          error:
-            - CHOWN
-            - SYS_CHROOT
-            - AUDIT_WRITE
-        whitelist:
-          warning:
+        error:
+          ifAnyAdded:
+            - CAP_SYS_ADMIN
+            - CAP_NET_ADMIN
+            - ALL
+        warning:
+          ifAnyAddedBeyond:
             - CHOWN
             - DAC_OVERRIDE
             - FSETID
@@ -189,8 +155,8 @@ spec:
         - name: certs
           mountPath: /tmp/cert/
         - name: fairwinds
-          mountPath: /opt/app/config.yml
-          subPath: config.yml
+          mountPath: /opt/app/config.yaml
+          subPath: config.yaml
           readOnly: true
       - name: dashboard
         image: quay.io/reactiveops/fairwinds
@@ -207,8 +173,8 @@ spec:
             memory: 128Mi
         volumeMounts:
         - name: fairwinds
-          mountPath: /opt/app/config.yml
-          subPath: config.yml
+          mountPath: /opt/app/config.yaml
+          subPath: config.yaml
           readOnly: true
       volumes:
       - name: fairwinds

diff --git a/main.go b/main.go
@@ -58,9 +58,9 @@ func main() {
 
 	flag.Parse()
 
-	c, err := conf.ParseFile("config.yml")
+	c, err := conf.ParseFile("config.yaml")
 	if err != nil {
-		glog.Println("Error parsing config.yml:", err)
+		glog.Println("Error parsing config.yaml:", err)
 		os.Exit(1)
 	}
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -20,6 +20,7 @@ import (
 	"io"
 	"io/ioutil"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/yaml"
 )
@@ -88,16 +89,24 @@ type Networking struct {
 
 // Security contains the config for security validations.
 type Security struct {
-	RunAsNonRoot              Severity             `json:"runAsNonRoot"`
-	RunAsPriviliged           Severity             `json:"runAsPriviliged"`
-	NotReadOnlyRootFileSystem Severity             `json:"notReadOnlyRootFileSystem"`
-	Capabilities              SecurityCapabilities `json:"capabilities"`
+	RunAsRootAllowed           Severity             `json:"runAsRootAllowed"`
+	RunAsPrivileged            Severity             `json:"RunAsPrivileged"`
+	NotReadOnlyRootFileSystem  Severity             `json:"notReadOnlyRootFileSystem"`
+	PrivilegeEscalationAllowed Severity             `json:"privilegeEscalationAllowed"`
+	Capabilities               SecurityCapabilities `json:"capabilities"`
 }
 
 // SecurityCapabilities contains the config for security capabilities validations.
 type SecurityCapabilities struct {
-	Whitelist ErrorWarningLists `json:"whitelist"`
-	Blacklist ErrorWarningLists `json:"blacklist"`
+	Error   SecurityCapabilityLists `json:"error"`
+	Warning SecurityCapabilityLists `json:"warning"`
+}
+
+// SecurityCapabilityLists contains the config for security capabilitie list validations.
+type SecurityCapabilityLists struct {
+	IfAnyAdded       []corev1.Capability `json:"ifAnyAdded"`
+	IfAnyAddedBeyond []corev1.Capability `json:"ifAnyAddedBeyond"`
+	IfAnyNotDropped  []corev1.Capability `json:"ifAnyNotDropped"`
 }
 
 // ParseFile parses config from a file.

diff --git a/pkg/dashboard/dashboard.go b/pkg/dashboard/dashboard.go
@@ -3,6 +3,7 @@ package dashboard
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"html/template"
 	"net/http"
 
@@ -22,13 +23,14 @@ const (
 // TemplateData is passed to the dashboard HTML template
 type TemplateData struct {
 	AuditData validator.AuditData
-	JSON template.JS
+	JSON      template.JS
 }
 
 // MainHandler gets template data and renders the dashboard with it.
 func MainHandler(w http.ResponseWriter, r *http.Request, c conf.Configuration, kubeAPI *kube.API) {
 	auditData, err := validator.RunAudit(c, kubeAPI)
 	if err != nil {
+		fmt.Printf("Error getting audit data %v \n", err)
 		http.Error(w, "Error running audit", 500)
 		return
 	}
@@ -39,7 +41,7 @@ func MainHandler(w http.ResponseWriter, r *http.Request, c conf.Configuration, k
 	}
 	templateData := TemplateData{
 		AuditData: auditData,
-		JSON: template.JS(jsonData),
+		JSON:      template.JS(jsonData),
 	}
 	tmpl, err := template.New(TemplateName).Funcs(template.FuncMap{
 		"getWarningWidth": func(rs validator.ResultSummary, fullWidth int) uint {