Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8S - Query - Service Does Not Target Pod - incorrect result #2793

Closed
gadinaor-r7 opened this issue Apr 13, 2021 · 1 comment · Fixed by #2881
Closed

K8S - Query - Service Does Not Target Pod - incorrect result #2793

gadinaor-r7 opened this issue Apr 13, 2021 · 1 comment · Fixed by #2881
Labels
bug Something isn't working

Comments

@gadinaor-r7
Copy link

Expected Behavior

For Services defined to front end things like StatefulSet for example, the query incorrectly flag that Service does not have backing pods, which is incorrect since the Pod template part within the statefulset definition does have the matching labels.

example:

# Source: alcide-kaudit/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: kaudit-mycluster
  namespace: alcide-kaudit
  labels:
    app: kaudit
    app-name: kaudit-mycluster
spec:
  ports:
    - port: 443
      protocol: TCP
      targetPort: 8443
      name: ui
  selector:
    app-name: kaudit-mycluster
---
# Source: alcide-kaudit/templates/kaudit.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: kaudit-mycluster
  namespace: alcide-kaudit
  labels:
    app: kaudit
    app-name: kaudit-mycluster
  annotations:
    com.alcide.io/component.role: cloud-audit-k8s
    com.alcide.io/component.tier: database
    com.alcide.io/info.vendor: Alcide IO Inc.
spec:
  selector:
    matchLabels:
      app-name: kaudit-mycluster
  serviceName: kaudit-mycluster
  replicas: 1
  template:
    metadata:
      labels:
        app: kaudit
        app-name: kaudit-mycluster
      annotations:
        policy.alcide.io/inbound0: service://kaudit-mycluster
        policy.alcide.io/inbound1: tcp://any:8443
        policy.alcide.io/outbound0: service://kube-dns
        policy.alcide.io/outbound1: service://coredns
        policy.alcide.io/outbound2: service://kaudit-mycluster
        policy.alcide.io/outbound3: tcp://s3.us-west-2.amazonaws.com:443

     
    spec:
      hostname: kaudit-mycluster
      terminationGracePeriodSeconds: 120
      volumes:
      - name: policy-volume
        configMap:
          name: kaudit-policy-mycluster
          items:
            - key: audit-policy
              path: audit-policy.yaml
      - name: integration-volume
        configMap:
          name: kaudit-integrations-mycluster
          items:
            - key: audit-integration
              path: audit-integration.yaml                    
      - name: keystore-volume
        emptyDir: {}      
      - name: key-volume
        emptyDir: {}
      - name: convertkey-volume
        configMap:
          name: kaudit-mycluster-keyconvert
          items:
          - key: convert.sh
            path: convert.sh     
          defaultMode: 0770            
      - name: cert-volume
        secret:
          secretName: kaudit-mycluster-certs
      - name: config-volume
        configMap:
            name: kaudit-mycluster
            items:
              - key: audit-source
                path: audit-source.properties
      - name: data-volume
        persistentVolumeClaim:
          claimName: data-volume-claim-kaudit-mycluster
      imagePullSecrets:
        - name: registry.alcide.io-mycluster
      # Pod Security
      serviceAccountName: alcide-k8s-kaudit-mycluster      
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000590000
        runAsGroup: 1000590000
        fsGroup: 1000590000
    

      initContainers:
      - name: convert-pem-to-keystore
        image: gcr.io/dcvisor-162009/alcide/dcvisor/kaudit:latest
        imagePullPolicy: IfNotPresent
        command: ["/convert.sh"]
        volumeMounts:
        - name: convertkey-volume
          mountPath: /convert.sh
          subPath: convert.sh        
        - name: cert-volume
          mountPath: /input
        - name: keystore-volume
          mountPath: /output       
        # Container Security            
        securityContext:
            allowPrivilegeEscalation: false     
            capabilities:
                drop:
                - ALL          
      containers:
      - name: kaudit
        image: gcr.io/dcvisor-162009/alcide/dcvisor/kaudit:latest
        imagePullPolicy: Always   
        securityContext:     
            allowPrivilegeEscalation: false
            capabilities:
                drop:
                - ALL
        volumeMounts:             
        - name: key-volume
          mountPath: /key
        - name: keystore-volume
          mountPath: /keystore
        - name: config-volume
          mountPath: /config
        - name: policy-volume
          mountPath: /kaudit/policy
        - name: integration-volume
          mountPath: /kaudit/integration          
        - name: data-volume
          mountPath: /data
        ports:
          - containerPort: 8443
            protocol: TCP
            name: sec-api
        # Health    
        livenessProbe:
          tcpSocket:
            port: 8443
          initialDelaySeconds: 120
          periodSeconds: 10
          timeoutSeconds: 30
        readinessProbe:
          tcpSocket:
            port: 8443
          initialDelaySeconds: 120
          periodSeconds: 10
          timeoutSeconds: 30
        # Resources  
        resources:
          requests:
            memory: 2Gi
            cpu: 1
          limits:
            memory: 5Gi
            cpu: 1

        env:
        - name: ALCIDE_TOKEN
          valueFrom:
            secretKeyRef:
              name: kaudit-mycluster
              key: token

        - name: JAVA_OPTS
          value: -Xmx4G  -XX:+UseG1GC -XX:+UseStringDeduplication -Djava.security.egd=file:/dev/urandom -Dclojure.spec.skip-macros=true -Dclojure.compiler.direct-linking=true             -Dsecurity.protocol=SSL
            -Dssl.keystore.location=/keystore/keystore.jks
            -Dssl.keystore.password=abcdef
            -Dssl.truststore.location=/keystore/truststore.jks
            -Dssl.truststore.password=abcdef
            -Djavax.net.ssl.keyStore=/keystore/keystore.jks
            -Djavax.net.ssl.keyStorePassword=abcdef
            -Djavax.net.ssl.trustStore=/keystore/truststore.jks
            -Djavax.net.ssl.trustStorePassword=abcdef
        - name: CERT
          value: "/keystore/cert.pem"
        - name: PRIV_KEY
          value: "/keystore/key.p12"       
        - name: EULA
          value: "true"        
        - name: MINUTES
          value: "1"       
        - name: PROMETHEUS_METRICS
          value: "true"




        - name: TOKEN                # GKE-token (for GKE)
          valueFrom:
            secretKeyRef:
              name: kaudit-mycluster
              key: gkeToken

        - name: CONNECTION_STRING    # Azure EventHubName connection (for AKS)
          valueFrom:
            secretKeyRef:
              name: kaudit-mycluster
              key: aksConnectionString

        - name: SECRET_ACCESS_KEY    # AWS Kinesis stream credentials (for EKS)
          valueFrom:
            secretKeyRef:
              name: kaudit-mycluster
              key: awsSecretAccessKey

        - name: STORE_LOCATION
          value: /data

Actual Behavior

Service Does Not Target Pod, Severity: LOW, Results: 1
Description: Service should Target a Pod
Platform: Kubernetes

	[1]: /path/kaudit_for_gke.yaml:432

		431:       name: ui
		432:   selector:
		433:     app-name: kaudit-mycluster

Specifications

  • Version: kics v1.2.2
  • Platform: K8S
@gadinaor-r7 gadinaor-r7 added the bug Something isn't working label Apr 13, 2021
@rogeriopeixotocx
Copy link
Contributor

@gadinaor-r7 Thank you for reporting this, we'll take a look into it ASAP.

joaoReigota1 added a commit that referenced this issue Apr 19, 2021
@joaoReigota1
Updated query Service Does Not Target Pod #2793
f317e45 
Signed-off-by: João Reigota <[email protected]>
@joaoReigota1 joaoReigota1 mentioned this issue Apr 19, 2021
Merged
@rogeriopeixotocx rogeriopeixotocx changed the title K8S // Query // Service Does Not Target Pod - incorrect result K8S - Query - Service Does Not Target Pod - incorrect result Apr 19, 2021
rogeriopeixotocx pushed a commit that referenced this issue Apr 19, 2021
@joaoReigota1 @rafaela-soares
Updated query Service Does Not Target Pod #2793 (#2881)
e743e17 
Signed-off-by: João Reigota <[email protected]>
Co-authored-by: rafaela-soares <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed Kubernetes query 'Service Does Not Target Pod' #2793 Checkmarx/kics
2 participants
@rogeriopeixotocx @gadinaor-r7