Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove dependency on PSPs, allowing us to bump K8s libraries' versions #2353

Open
kubasobon opened this issue Jul 24, 2024 · 2 comments
Open
Labels
dependency Team:Cloud Security Cloud Security team related
Milestone

Comments

@kubasobon
Copy link
Member

kubasobon commented Jul 24, 2024

Description

Cloudbeat relies on Kubernetes (K8s) libraries that provide PodSecurityPolicy definitions. However, due to PSP deprecation, we are stuck with outdated libraries, preventing us from updating other dependencies and remediating CVEs.

Details

PodSecurityPolicies (PSPs) have been deprecated (K8s v1.21) and removed (K8s v1.25). cloudbeat officially supports K8s v1.23, hence we keep all golang libraries that interact with K8s pinned to v0.28. That is the last version containing PSPs, which were removed in v0.29 and later.

Remediating CVEs often requires a bump of a dependency version, which is prevented by the pinned K8s library version.

The one piece of code blocking the upgrade is the dependency on policyv1beta1.PodSecurityPolicy type definition, used to spawn an Informer to watch for events. See: internal/resources/fetching/fetchers/k8s/kube_fetcher.go

Proposed solution

Check if K8s API serves PSPs. If yes, use Dynamic Informer to watch them without having to provide a full type. If not, do not watch them at all (K8s >=v1.25).

Extra examples:

@kubasobon kubasobon self-assigned this Jul 24, 2024
@kubasobon kubasobon removed their assignment Jul 25, 2024
@romulets
Copy link
Member

romulets commented Jul 29, 2024

PSP Code has been removed on #2356,

If we decide to not implement the PSP's we still need to remove all the commented infra/test code left behind

@kubasobon
Copy link
Member Author

@jeniawhite I believe the affected rules are as follows:

  • CIS K8s:
    • 1.2.13 - needs to be confirmed; technically it checks API server flags, not PSPs, but PSPs are mentioned
    • 5.2.3 - false positive, description mentions Pod Security Policies, but rule checks for Pod Security Standard field (.spec.hostPID); only the description needs fixing
  • CIS EKS:
    • 4.2.{1, 2, 3, 4, 5, 6, 7, 8, 9} - all reference PSPs, some upstream EKS PSPs; probably no longer applicable

The PR disabled the following:

  • CIS K8s: 5.2.{2,3,4,5,6,7,8,10}
  • CIS EKS: 4.2.{1,2,3,4,5,6}

I believe most of 5.2.x rules (with the exception of 5.2.3) check Pod Security Standards, not PSPs, and only need the Pod definition to evaluate. As for the others, we probably should find out what is the right subset of rules to disable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependency Team:Cloud Security Cloud Security team related
Projects
None yet
Development

No branches or pull requests

4 participants