Kubeaudit audits all containers now

Shopify · Feb 9, 2018 · fdf57e2 · fdf57e2
1 parent ab321df
commit fdf57e2
Show file tree

Hide file tree

Showing 18 changed files with 228 additions and 102 deletions.
diff --git a/cmd/allowPrivilegeEscalation.go b/cmd/allowPrivilegeEscalation.go
@@ -9,33 +9,37 @@ func checkAllowPrivilegeEscalation(container Container, result *Result) {
 	if reason := result.Labels["audit.kubernetes.io/allow-privilege-escalation"]; reason == "" {
 		if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil {
 			occ := Occurrence{
-				id:      ErrorAllowPrivilegeEscalationNIL,
-				kind:    Error,
-				message: "AllowPrivilegeEscalation not set which allows privilege escalation, please set to false",
+				container: container.Name,
+				id:        ErrorAllowPrivilegeEscalationNIL,
+				kind:      Error,
+				message:   "AllowPrivilegeEscalation not set which allows privilege escalation, please set to false",
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		} else if *container.SecurityContext.AllowPrivilegeEscalation == true {
 			occ := Occurrence{
-				id:      ErrorAllowPrivilegeEscalationTrue,
-				kind:    Error,
-				message: "AllowPrivilegeEscalation set to true, please set to false",
+				container: container.Name,
+				id:        ErrorAllowPrivilegeEscalationTrue,
+				kind:      Error,
+				message:   "AllowPrivilegeEscalation set to true, please set to false",
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		}
 	} else if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation == true {
 		occ := Occurrence{
-			id:       ErrorAllowPrivilegeEscalationTrueAllowed,
-			kind:     Warn,
-			message:  "Allowed AllowPrivilegeEscalation to be set as true",
-			metadata: Metadata{"Reason": prettifyReason(reason)},
+			container: container.Name,
+			id:        ErrorAllowPrivilegeEscalationTrueAllowed,
+			kind:      Warn,
+			message:   "Allowed AllowPrivilegeEscalation to be set as true",
+			metadata:  Metadata{"Reason": prettifyReason(reason)},
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 	} else {
 		occ := Occurrence{
-			id:       ErrorMisconfiguredKubeauditAllow,
-			kind:     Warn,
-			message:  "Allowed setting AllowPrivilegeEscalation to true, but it is set to false",
-			metadata: Metadata{"Reason": prettifyReason(reason)},
+			container: container.Name,
+			id:        ErrorMisconfiguredKubeauditAllow,
+			kind:      Warn,
+			message:   "Allowed setting AllowPrivilegeEscalation to true, but it is set to false",
+			metadata:  Metadata{"Reason": prettifyReason(reason)},
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 	}

diff --git a/cmd/allowPrivilegeEscalation_fixes.go b/cmd/allowPrivilegeEscalation_fixes.go
@@ -2,10 +2,12 @@ package cmd
 
 import k8sRuntime "k8s.io/apimachinery/pkg/runtime"
 
-func fixAllowPrivilegeEscalation(resource k8sRuntime.Object) k8sRuntime.Object {
+func fixAllowPrivilegeEscalation(resource k8sRuntime.Object, occurrence Occurrence) k8sRuntime.Object {
 	var containers []Container
 	for _, container := range getContainers(resource) {
-		container.SecurityContext.AllowPrivilegeEscalation = newFalse()
+		if occurrence.container == container.Name {
+			container.SecurityContext.AllowPrivilegeEscalation = newFalse()
+		}
 		containers = append(containers, container)
 	}
 	return setContainers(resource, containers)

diff --git a/cmd/autofix.go b/cmd/autofix.go
@@ -19,17 +19,17 @@ func fixPotentialSecurityIssue(resource k8sRuntime.Object, result Result) k8sRun
 	for _, occurrence := range result.Occurrences {
 		switch occurrence.id {
 		case ErrorAllowPrivilegeEscalationNIL, ErrorAllowPrivilegeEscalationTrue:
-			resource = fixAllowPrivilegeEscalation(resource)
+			resource = fixAllowPrivilegeEscalation(resource, occurrence)
 		case ErrorCapabilityNotDropped:
 			resource = fixCapabilityNotDropped(resource, occurrence)
 		case ErrorCapabilityAdded:
 			resource = fixCapabilityAdded(resource, occurrence)
 		case ErrorPrivilegedNIL, ErrorPrivilegedTrue:
-			resource = fixPrivileged(resource)
+			resource = fixPrivileged(resource, occurrence)
 		case ErrorReadOnlyRootFilesystemFalse, ErrorReadOnlyRootFilesystemNIL:
-			resource = fixReadOnlyRootFilesystem(resource)
+			resource = fixReadOnlyRootFilesystem(resource, occurrence)
 		case ErrorRunAsNonRootFalse, ErrorRunAsNonRootNIL:
-			resource = fixRunAsNonRoot(resource)
+			resource = fixRunAsNonRoot(resource, occurrence)
 		case ErrorServiceAccountTokenDeprecated:
 			resource = fixDeprecatedServiceAccount(resource)
 		case ErrorAutomountServiceAccountTokenTrueAndNoName, ErrorAutomountServiceAccountTokenNILAndNoName:

diff --git a/cmd/capabilities.go b/cmd/capabilities.go
@@ -46,9 +46,10 @@ func checkCapabilities(container Container, result *Result) {
 	toBeDropped, err := recommendedCapabilitiesToBeDropped()
 	if err != nil {
 		occ := Occurrence{
-			id:      KubeauditInternalError,
-			kind:    Error,
-			message: "This should not have happened, if you are on kubeaudit master please consider to report: " + err.Error(),
+			container: container.Name,
+			id:        KubeauditInternalError,
+			kind:      Error,
+			message:   "This should not have happened, if you are on kubeaudit master please consider to report: " + err.Error(),
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 		return
@@ -57,25 +58,28 @@ func checkCapabilities(container Container, result *Result) {
 	for _, cap := range sortCapSet(mergeCapSets(toBeDropped, dropped, allowed, added)) {
 		if !allowed[cap] && !dropped[cap] && toBeDropped[cap] {
 			occ := Occurrence{
-				id:       ErrorCapabilityNotDropped,
-				kind:     Error,
-				message:  "Capability not dropped",
-				metadata: Metadata{"CapName": string(cap)},
+				container: container.Name,
+				id:        ErrorCapabilityNotDropped,
+				kind:      Error,
+				message:   "Capability not dropped",
+				metadata:  Metadata{"CapName": string(cap)},
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		} else if !allowed[cap] && added[cap] {
 			occ := Occurrence{
-				id:       ErrorCapabilityAdded,
-				kind:     Error,
-				message:  "Capability added",
-				metadata: Metadata{"CapName": string(cap)},
+				container: container.Name,
+				id:        ErrorCapabilityAdded,
+				kind:      Error,
+				message:   "Capability added",
+				metadata:  Metadata{"CapName": string(cap)},
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		} else if allowed[cap] && (toBeDropped[cap] && !dropped[cap] || added[cap]) {
 			occ := Occurrence{
-				id:      ErrorCapabilityAllowed,
-				kind:    Warn,
-				message: "Capability allowed",
+				container: container.Name,
+				id:        ErrorCapabilityAllowed,
+				kind:      Warn,
+				message:   "Capability allowed",
 				metadata: Metadata{
 					"CapName": string(cap),
 					"Reason":  prettifyReason(allowedMap[cap]),
@@ -84,9 +88,10 @@ func checkCapabilities(container Container, result *Result) {
 			result.Occurrences = append(result.Occurrences, occ)
 		} else if allowed[cap] && !(toBeDropped[cap] && !dropped[cap] || added[cap]) {
 			occ := Occurrence{
-				id:      ErrorMisconfiguredKubeauditAllow,
-				kind:    Warn,
-				message: "Capability allowed but not present",
+				container: container.Name,
+				id:        ErrorMisconfiguredKubeauditAllow,
+				kind:      Warn,
+				message:   "Capability allowed but not present",
 				metadata: Metadata{
 					"CapName": string(cap),
 					"Reason":  allowedMap[cap],
@@ -103,7 +108,6 @@ func auditCapabilities(resource k8sRuntime.Object) (results []Result) {
 		checkCapabilities(container, &result)
 		if len(result.Occurrences) > 0 {
 			results = append(results, result)
-			break
 		}
 	}
 	return

diff --git a/cmd/capabilities_fixes.go b/cmd/capabilities_fixes.go
@@ -22,7 +22,9 @@ func fixCapabilitiesNIL(resource k8sRuntime.Object) k8sRuntime.Object {
 func fixCapabilityNotDropped(resource k8sRuntime.Object, occurrence Occurrence) k8sRuntime.Object {
 	var containers []Container
 	for _, container := range getContainers(resource) {
-		container.SecurityContext.Capabilities.Drop = append(container.SecurityContext.Capabilities.Drop, Capability(occurrence.metadata["CapName"]))
+		if occurrence.container == container.Name {
+			container.SecurityContext.Capabilities.Drop = append(container.SecurityContext.Capabilities.Drop, Capability(occurrence.metadata["CapName"]))
+		}
 		containers = append(containers, container)
 	}
 	return setContainers(resource, containers)
@@ -31,13 +33,15 @@ func fixCapabilityNotDropped(resource k8sRuntime.Object, occurrence Occurrence)
 func fixCapabilityAdded(resource k8sRuntime.Object, occurrence Occurrence) k8sRuntime.Object {
 	var containers []Container
 	for _, container := range getContainers(resource) {
-		add := []Capability{}
-		for _, cap := range container.SecurityContext.Capabilities.Add {
-			if string(cap) != occurrence.metadata["CapName"] {
-				add = append(add, cap)
+		if occurrence.container == container.Name {
+			add := []Capability{}
+			for _, cap := range container.SecurityContext.Capabilities.Add {
+				if string(cap) != occurrence.metadata["CapName"] {
+					add = append(add, cap)
+				}
 			}
+			container.SecurityContext.Capabilities.Add = add
 		}
-		container.SecurityContext.Capabilities.Add = add
 		containers = append(containers, container)
 	}
 	return setContainers(resource, containers)

diff --git a/cmd/image.go b/cmd/image.go
@@ -33,19 +33,34 @@ func checkImage(container Container, image imgFlags, result *Result) {
 	result.ImageTag = contImage.tag
 
 	if len(contImage.tag) == 0 {
-		occ := Occurrence{id: ErrorImageTagMissing, kind: Warn, message: "Image tag was missing"}
+		occ := Occurrence{
+			container: container.Name,
+			id:        ErrorImageTagMissing,
+			kind:      Warn,
+			message:   "Image tag was missing",
+		}
 		result.Occurrences = append(result.Occurrences, occ)
 		return
 	}
 
 	if contImage.name == image.name && contImage.tag != image.tag {
-		occ := Occurrence{id: ErrorImageTagIncorrect, kind: Error, message: "Image tag was incorrect"}
+		occ := Occurrence{
+			container: container.Name,
+			id:        ErrorImageTagIncorrect,
+			kind:      Error,
+			message:   "Image tag was incorrect",
+		}
 		result.Occurrences = append(result.Occurrences, occ)
 		return
 	}
 
 	if contImage.name == image.name && contImage.tag == image.tag {
-		occ := Occurrence{id: InfoImageCorrect, kind: Info, message: "Image tag was correct"}
+		occ := Occurrence{
+			container: container.Name,
+			id:        InfoImageCorrect,
+			kind:      Info,
+			message:   "Image tag was correct",
+		}
 		result.Occurrences = append(result.Occurrences, occ)
 		return
 	}

diff --git a/cmd/occurrence.go b/cmd/occurrence.go
@@ -1,8 +1,9 @@
 package cmd
 
 type Occurrence struct {
-	kind     int    // represent  {debug, log, warn, error}
-	id       int    // KubeAuditInfo, ErrorImageTagMissing ...
-	message  string // just the message
-	metadata Metadata
+	kind      int    // represent  {debug, log, warn, error}
+	id        int    // KubeAuditInfo, ErrorImageTagMissing ...
+	message   string // just the message
+	container string // name of the container
+	metadata  Metadata
 }
diff --git a/cmd/privileged.go b/cmd/privileged.go
@@ -9,33 +9,37 @@ import (
 func checkPrivileged(container Container, result *Result) {
 	if container.SecurityContext == nil || container.SecurityContext.Privileged == nil {
 		occ := Occurrence{
-			id:      ErrorPrivilegedNIL,
-			kind:    Warn,
-			message: "Privileged defaults to false, which results in non privileged, which is okay.",
+			container: container.Name,
+			id:        ErrorPrivilegedNIL,
+			kind:      Warn,
+			message:   "Privileged defaults to false, which results in non privileged, which is okay.",
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 	} else if reason := result.Labels["audit.kubernetes.io/allow-privileged"]; reason != "" {
 		if *container.SecurityContext.Privileged == true {
 			occ := Occurrence{
-				id:       ErrorPrivilegedTrueAllowed,
-				kind:     Warn,
-				message:  "Allowed setting privileged to true",
-				metadata: Metadata{"Reason": prettifyReason(reason)},
+				container: container.Name,
+				id:        ErrorPrivilegedTrueAllowed,
+				kind:      Warn,
+				message:   "Allowed setting privileged to true",
+				metadata:  Metadata{"Reason": prettifyReason(reason)},
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		} else {
 			occ := Occurrence{
-				id:      ErrorMisconfiguredKubeauditAllow,
-				kind:    Warn,
-				message: "Allowed setting privileged to true, but privileged is false or nil",
+				container: container.Name,
+				id:        ErrorMisconfiguredKubeauditAllow,
+				kind:      Warn,
+				message:   "Allowed setting privileged to true, but privileged is false or nil",
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		}
 	} else if *container.SecurityContext.Privileged == true {
 		occ := Occurrence{
-			id:      ErrorPrivilegedTrue,
-			kind:    Error,
-			message: "Privileged set to true! Please change it to false!",
+			container: container.Name,
+			id:        ErrorPrivilegedTrue,
+			kind:      Error,
+			message:   "Privileged set to true! Please change it to false!",
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 	}

diff --git a/cmd/privileged_fixes.go b/cmd/privileged_fixes.go
@@ -2,10 +2,12 @@ package cmd
 
 import k8sRuntime "k8s.io/apimachinery/pkg/runtime"
 
-func fixPrivileged(resource k8sRuntime.Object) k8sRuntime.Object {
+func fixPrivileged(resource k8sRuntime.Object, occurrence Occurrence) k8sRuntime.Object {
 	var containers []Container
 	for _, container := range getContainers(resource) {
-		container.SecurityContext.Privileged = newFalse()
+		if occurrence.container == container.Name {
+			container.SecurityContext.Privileged = newFalse()
+		}
 		containers = append(containers, container)
 	}
 	return setContainers(resource, containers)

diff --git a/cmd/readOnlyRootFilesystem.go b/cmd/readOnlyRootFilesystem.go
@@ -10,33 +10,37 @@ func checkReadOnlyRootFS(container Container, result *Result) {
 	if reason := result.Labels["audit.kubernetes.io/allow-read-only-root-filesystem-false"]; reason != "" {
 		if container.SecurityContext == nil || container.SecurityContext.ReadOnlyRootFilesystem == nil || *container.SecurityContext.ReadOnlyRootFilesystem == false {
 			occ := Occurrence{
-				id:       ErrorReadOnlyRootFilesystemFalseAllowed,
-				kind:     Warn,
-				message:  "Allowed setting readOnlyRootFilesystem to false",
-				metadata: Metadata{"Reason": prettifyReason(reason)},
+				container: container.Name,
+				id:        ErrorReadOnlyRootFilesystemFalseAllowed,
+				kind:      Warn,
+				message:   "Allowed setting readOnlyRootFilesystem to false",
+				metadata:  Metadata{"Reason": prettifyReason(reason)},
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		} else {
 			occ := Occurrence{
-				id:       ErrorMisconfiguredKubeauditAllow,
-				kind:     Warn,
-				message:  "Allowed setting readOnlyRootFilesystem to false, but it is set to true",
-				metadata: Metadata{"Reason": prettifyReason(reason)},
+				container: container.Name,
+				id:        ErrorMisconfiguredKubeauditAllow,
+				kind:      Warn,
+				message:   "Allowed setting readOnlyRootFilesystem to false, but it is set to true",
+				metadata:  Metadata{"Reason": prettifyReason(reason)},
 			}
 			result.Occurrences = append(result.Occurrences, occ)
 		}
 	} else if container.SecurityContext == nil || container.SecurityContext.ReadOnlyRootFilesystem == nil {
 		occ := Occurrence{
-			id:      ErrorReadOnlyRootFilesystemNIL,
-			kind:    Error,
-			message: "ReadOnlyRootFilesystem not set which results in a writable rootFS, please set to true",
+			container: container.Name,
+			id:        ErrorReadOnlyRootFilesystemNIL,
+			kind:      Error,
+			message:   "ReadOnlyRootFilesystem not set which results in a writable rootFS, please set to true",
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 	} else if !*container.SecurityContext.ReadOnlyRootFilesystem {
 		occ := Occurrence{
-			id:      ErrorReadOnlyRootFilesystemFalse,
-			kind:    Error,
-			message: "ReadOnlyRootFilesystem set to false, please set to true",
+			container: container.Name,
+			id:        ErrorReadOnlyRootFilesystemFalse,
+			kind:      Error,
+			message:   "ReadOnlyRootFilesystem set to false, please set to true",
 		}
 		result.Occurrences = append(result.Occurrences, occ)
 	}

diff --git a/cmd/readOnlyRootFilesystem_fixes.go b/cmd/readOnlyRootFilesystem_fixes.go
@@ -2,10 +2,12 @@ package cmd
 
 import k8sRuntime "k8s.io/apimachinery/pkg/runtime"
 
-func fixReadOnlyRootFilesystem(resource k8sRuntime.Object) k8sRuntime.Object {
+func fixReadOnlyRootFilesystem(resource k8sRuntime.Object, occurrence Occurrence) k8sRuntime.Object {
 	var containers []Container
 	for _, container := range getContainers(resource) {
-		container.SecurityContext.ReadOnlyRootFilesystem = newTrue()
+		if occurrence.container == container.Name {
+			container.SecurityContext.ReadOnlyRootFilesystem = newTrue()
+		}
 		containers = append(containers, container)
 	}
 	return setContainers(resource, containers)