Shopify
kubeaudit does not understand PodSecurityContext.seccompProfile
ISSUE TYPE
- [ ] Bug Report
BUG REPORT
SUMMARY
In k8s 1.20 was introduced GA syntax for setting seccompProfile:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
When running kubeaudit on pods with this setting, it complains about SeccompAnnotationMissing
ENVIRONMENT
- Kubeaudit version: v0.14.1
- Kubeaudit install method: docker image using "With RBAC" manifest
STEPS TO REPRODUCE
Deploy the kubernetes-dashboard according with https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml, but the daemonset spec modified as follows:
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- args:
- --auto-generate-certificates
- --dashboard-endpoint=https://127.0.0.1:8443
image: docker.io/kublr/k8s-dashboard-auth-proxy:v1.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 9443
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
name: kubernetes-dashboard-auth-proxy
ports:
- containerPort: 9443
protocol: TCP
resources:
limits:
cpu: 50m
memory: 100Mi
requests:
cpu: 5m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 2001
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: kubernetes-dashboard-certs
- mountPath: /tmp
name: tmp-volume
- args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --enable-skip-login=true
image: docker.io/kubernetesui/dashboard:v2.0.4
imagePullPolicy: Always
name: kubernetes-dashboard
ports:
- containerPort: 8443
protocol: TCP
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 10m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 2001
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: kubernetes-dashboard-certs
- mountPath: /tmp
name: tmp-volume
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccount: kubernetes-dashboard
serviceAccountName: kubernetes-dashboard
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- name: kubernetes-dashboard-certs
secret:
defaultMode: 420
secretName: kubernetes-dashboard-certs
- emptyDir: {}
name: tmp-volume
Run kubeaudit by applying the following manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubeaudit
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubeaudit
rules:
- apiGroups: [""]
resources:
- pods
- podtemplates
- replicationcontrollers
- namespaces
- serviceaccounts
verbs: ["list"]
- apiGroups: ["apps"]
resources:
- daemonsets
- statefulsets
- deployments
verbs: ["list"]
- apiGroups: ["batch"]
resources:
- cronjobs
verbs: ["list"]
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs: ["list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubeaudit
subjects:
- kind: ServiceAccount
name: kubeaudit
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeaudit
---
apiVersion: batch/v1
kind: Job
metadata:
name: kubeaudit
namespace: default
spec:
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/kubeaudit: runtime/default
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
serviceAccountName: kubeaudit
restartPolicy: OnFailure
containers:
- name: kubeaudit
image: shopify/kubeaudit:v0.14.1
args: ["all", "--exitcode", "0"]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["all"]
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
EXPECTED RESULTS
Kubeaudit complains about AppArmorAnnotationMissing but not about SeccompAnnotationMissing.
ACTUAL RESULTS
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
--------------------------------------------
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard-auth-proxy' should be added.
Metadata:
Container: kubernetes-dashboard-auth-proxy
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard-auth-proxy
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard' should be added.
Metadata:
Container: kubernetes-dashboard
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/kubernetes-dashboard
-- [error] SeccompAnnotationMissing
Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
Metadata:
MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod
ADDITIONAL INFORMATION
Hey @dmitry-irtegov , thanks for bringing this up and providing a detailed example! This sounds like something we definitely want to support
Hi @genevieveluyt , I'm planning to fix this issue. I'm wondering if I should do a breaking change with kubeaudit to support seccompProfile only in securityContext? Or it's better still to support both annotations and securityContext?
Thanks
(FWIW the securityContext field was added in k8s 1.19 which was released in August 2020. k8s 1.18 is end of life, and has been for a while, so it would seem fair to me to no longer support it. But I'm just someone interested in this feature 😄.)
Hey @danishprakash and @Ser87ch , sorry I missed your messages! Been getting too many Dependabot notifications drowning out important ones 😢 . Thank you @Ser87ch for opening a PR, I will take a look!