diff --git a/test/confs/psp.yaml b/test/confs/psp.yaml new file mode 100644 index 00000000..b3384009 --- /dev/null +++ b/test/confs/psp.yaml @@ -0,0 +1,165 @@ +# +# Copyright (C) 2016-2018 Draios Inc dba Sysdig. +# +# This file is part of falco . +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# File(s) or Directories containing Falco rules, loaded at startup. +# The name "rules_file" is only for backwards compatibility. +# If the entry is a file, it will be read directly. If the entry is a directory, +# every file in that directory will be read, in alphabetical order. +# +# falco_rules.yaml ships with the falco package and is overridden with +# every new software version. falco_rules.local.yaml is only created +# if it doesn't exist. If you want to customize the set of rules, add +# your customizations to falco_rules.local.yaml. +# +# The files will be read in the order presented here, so make sure if +# you have overrides they appear in later files. +rules_file: [] + +# If true, the times displayed in log messages and output messages +# will be in ISO 8601. By default, times are displayed in the local +# time zone, as governed by /etc/localtime. +time_format_iso_8601: false + +# Whether to output events in json or text +json_output: false + +# When using json output, whether or not to include the "output" property +# itself (e.g. "File below a known binary directory opened for writing +# (user=root ....") in the json output. +json_include_output_property: true + +# Send information logs to stderr and/or syslog Note these are *not* security +# notification logs! These are just Falco lifecycle (and possibly error) logs. +log_stderr: true +log_syslog: true + +# Minimum log level to include in logs. Note: these levels are +# separate from the priority field of rules. This refers only to the +# log level of falco's internal logging. Can be one of "emergency", +# "alert", "critical", "error", "warning", "notice", "info", "debug". +log_level: info + +# Minimum rule priority level to load and run. All rules having a +# priority more severe than this level will be loaded/run. Can be one +# of "emergency", "alert", "critical", "error", "warning", "notice", +# "info", "debug". +priority: debug + +# Whether or not output to any of the output channels below is +# buffered. Defaults to false +buffered_outputs: false + +# Falco uses a shared buffer between the kernel and userspace to pass +# system call information. When falco detects that this buffer is +# full and system calls have been dropped, it can take one or more of +# the following actions: +# - "ignore": do nothing. If an empty list is provided, ignore is assumed. +# - "log": log a CRITICAL message noting that the buffer was full. +# - "alert": emit a falco alert noting that the buffer was full. +# - "exit": exit falco with a non-zero rc. +# +# The rate at which log/alert messages are emitted is governed by a +# token bucket. The rate corresponds to one message every 30 seconds +# with a burst of 10 messages. + +syscall_event_drops: + actions: + - log + - alert + rate: .03333 + max_burst: 10 + +# A throttling mechanism implemented as a token bucket limits the +# rate of falco notifications. This throttling is controlled by the following configuration +# options: +# - rate: the number of tokens (i.e. right to send a notification) +# gained per second. Defaults to 1. +# - max_burst: the maximum number of tokens outstanding. Defaults to 1000. +# +# With these defaults, falco could send up to 1000 notifications after +# an initial quiet period, and then up to 1 notification per second +# afterward. It would gain the full burst back after 1000 seconds of +# no activity. + +outputs: + rate: 1 + max_burst: 1000 + +# Where security notifications should go. +# Multiple outputs can be enabled. + +syslog_output: + enabled: true + +# If keep_alive is set to true, the file will be opened once and +# continuously written to, with each output message on its own +# line. If keep_alive is set to false, the file will be re-opened +# for each output message. +# +# Also, the file will be closed and reopened if falco is signaled with +# SIGUSR1. + +file_output: + enabled: false + keep_alive: false + filename: ./events.txt + +stdout_output: + enabled: true + +# Falco contains an embedded webserver that can be used to accept K8s +# Audit Events. These config options control the behavior of that +# webserver. (By default, the webserver is disabled). +# +# The ssl_certificate is a combination SSL Certificate and corresponding +# key contained in a single file. You can generate a key/cert as follows: +# +# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +# $ cat certificate.pem key.pem > falco.pem +# $ sudo cp falco.pem /etc/falco/falco.pem + +webserver: + enabled: true + listen_port: 8765 + k8s_audit_endpoint: /k8s_audit + ssl_enabled: false + ssl_certificate: /etc/falco/falco.pem + +# Possible additional things you might want to do with program output: +# - send to a slack webhook: +# program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" +# - logging (alternate method than syslog): +# program: logger -t falco-test +# - send over a network connection: +# program: nc host.example.com 80 + +# If keep_alive is set to true, the program will be started once and +# continuously written to, with each output message on its own +# line. If keep_alive is set to false, the program will be re-spawned +# for each output message. +# +# Also, the program will be closed and reopened if falco is signaled with +# SIGUSR1. +program_output: + enabled: false + keep_alive: false + program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" + +http_output: + enabled: false + url: http://some.url \ No newline at end of file diff --git a/test/falco_test.py b/test/falco_test.py index 1d1274f9..31d28c6f 100644 --- a/test/falco_test.py +++ b/test/falco_test.py @@ -39,6 +39,8 @@ class FalcoTest(Test): self.falcodir = self.params.get('falcodir', '/', default=build_dir) + self.psp_conv_path = os.path.join(build_dir, "tools", "psp_conv", "falco-psp-conv") + self.stdout_is = self.params.get('stdout_is', '*', default='') self.stderr_is = self.params.get('stderr_is', '*', default='') @@ -92,8 +94,15 @@ class FalcoTest(Test): if not isinstance(self.validate_rules_file, list): self.validate_rules_file = [self.validate_rules_file] + self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml") + + self.psp_file = self.params.get('psp_file', '*', default="") + self.rules_args = "" + if self.psp_file != "": + self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " " + for file in self.validate_rules_file: if not os.path.isabs(file): file = os.path.join(self.basedir, file) @@ -424,6 +433,24 @@ class FalcoTest(Test): if self.trace_file: trace_arg = "-e {}".format(self.trace_file) + # Possibly run psp converter + if self.psp_file != "": + conv_cmd = '{} --psp {} --rules {}'.format( + self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file) + + conv_proc = process.SubProcess(conv_cmd) + + conv_res = conv_proc.run(timeout=180, sig=9) + + if conv_res.exit_status != 0: + self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format( + conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr)) + + with open(self.psp_rules_file, 'r') as myfile: + psp_rules = myfile.read() + self.log.debug("Converted Rules: {}".format(psp_rules)) + + # Run falco cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format( self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority) diff --git a/test/falco_tests_psp.yaml b/test/falco_tests_psp.yaml new file mode 100644 index 00000000..e0165ce3 --- /dev/null +++ b/test/falco_tests_psp.yaml @@ -0,0 +1,646 @@ +# +# Copyright (C) 2016-2018 Draios Inc dba Sysdig. +# +# This file is part of falco. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +trace_files: !mux + + privileged_detect_k8s_audit: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (privileged) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/privileged.yaml + trace_file: trace_files/psp/privileged.json + + privileged_detect_syscall: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (privileged) System Activity": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/privileged.yaml + trace_file: trace_files/psp/privileged.scap + + privileged_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/privileged.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + host_pid_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (hostPID)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_pid.yaml + trace_file: trace_files/psp/host_pid.json + + host_pid_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_pid.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + host_ipc_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (hostIPC)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_ipc.yaml + trace_file: trace_files/psp/host_ipc.json + + host_ipc_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_ipc.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + host_network_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (hostNetwork)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_network.yaml + trace_file: trace_files/psp/host_network.json + + host_network_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_network.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + host_network_ports_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (hostPorts)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_network_ports.yaml + trace_file: trace_files/psp/host_network_ports.json + + host_network_ports_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/host_network_ports.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + volumes_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (volumes)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/volumes.yaml + trace_file: trace_files/psp/mount_etc_using_host_path.json + + volumes_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/volumes.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + allowed_host_paths_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (allowedHostPaths)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_host_paths.yaml + trace_file: trace_files/psp/mount_etc_using_host_path.json + + allowed_host_paths_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_host_paths.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + allowed_flex_volumes_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (allowedFlexVolumes)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/flex_volumes.yaml + trace_file: trace_files/psp/flex_volumes.json + + allowed_flex_volumes_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/flex_volumes.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + fs_group_must_run_as_with_unset: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (fsGroup)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/fs_group_must_run_as.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + fs_group_must_run_as: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (fsGroup)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/fs_group_must_run_as.yaml + trace_file: trace_files/psp/fs_group.json + + fs_group_may_run_as: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (fsGroup)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/fs_group_may_run_as.yaml + trace_file: trace_files/psp/fs_group.json + + fs_group_may_run_as_with_unset: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/fs_group_may_run_as.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + fs_group_run_as_any: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/fs_group_run_as_any.yaml + trace_file: trace_files/psp/fs_group.json + + fs_group_run_as_any_with_unset: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/fs_group_run_as_any.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + read_only_root_fs_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (readOnlyRootFilesystem) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/read_only_root_fs.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + read_only_root_fs_detect_syscall: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (readOnlyRootFilesystem) System Activity": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/read_only_root_fs.yaml + trace_file: trace_files/psp/write_tmp_test.scap + + read_only_root_fs_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/read_only_root_fs.yaml + trace_file: trace_files/psp/read_only_root_fs.json + + user_must_run_as_with_unset: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + user_must_run_as_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_1000_container.json + + user_must_run_as_detect_syscall: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAs) System Activity": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_65534_container.scap + + user_must_run_as_not_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_30_container.json + + user_must_run_as_detect_sec_ctx: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json + + user_must_run_as_not_detect_sec_ctx: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_30_sec_ctx.json + + user_must_run_as_detect_both: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json + + user_must_run_as_not_detect_both: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json + + user_must_run_as_non_root_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_0_container.json + + user_must_run_as_non_root_detect_syscall: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAsNonRoot) System Activity": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_0_container.scap + + user_must_run_as_non_root_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_1000_container.json + + user_must_run_as_non_root_detect_sec_ctx: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_0_sec_ctx.json + + user_must_run_as_non_root_no_detect_sec_ctx: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json + + user_must_run_as_non_root_detect_both: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json + + user_must_run_as_non_root_no_detect_both: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/user_must_run_as_non_root.yaml + trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json + + group_must_run_as_with_unset: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + group_must_run_as_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_group_1000_container.json + + group_must_run_as_detect_syscall: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MustRunAs) System Activity": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_user_65534_container.scap + + group_must_run_as_not_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_group_30_container.json + + group_must_run_as_detect_sec_ctx: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json + + group_must_run_as_not_detect_sec_ctx: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_group_30_sec_ctx.json + + group_must_run_as_detect_both: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json + + group_must_run_as_not_detect_both: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_must_run_as.yaml + trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json + + group_may_run_as_with_unset: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + group_may_run_as_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MayRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/run_as_group_1000_container.json + + group_may_run_as_not_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/run_as_group_30_container.json + + group_may_run_as_detect_sec_ctx: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MayRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json + + group_may_run_as_not_detect_sec_ctx: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/run_as_group_30_sec_ctx.json + + group_may_run_as_detect_both: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (runAsGroup=MayRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json + + group_may_run_as_not_detect_both: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/group_may_run_as.yaml + trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json + + supplemental_groups_must_run_as_with_unset: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (supplementalGroups=MustRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_must_run_as_30_40.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + supplemental_groups_must_run_as_no_overlap: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (supplementalGroups=MustRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_must_run_as_30_40.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_must_run_as_partial_overlap: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (supplementalGroups=MustRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_must_run_as_overlap: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_must_run_as_10_20.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_must_run_as_overlap_multiple_ranges: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_may_run_as_with_unset: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_may_run_as_30_40.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + supplemental_groups_may_run_as_no_overlap: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (supplementalGroups=MayRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_may_run_as_30_40.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_may_run_as_partial_overlap: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (supplementalGroups=MayRunAs)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_may_run_as_overlap: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_may_run_as_10_20.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + supplemental_groups_may_run_as_overlap_multiple_ranges: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml + trace_file: trace_files/psp/supplemental_groups_10_20.json + + privilege_escalation_privilege_escalation_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (allowPrivilegeEscalation)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/privilege_escalation.yaml + trace_file: trace_files/psp/privilege_escalation.json + + allowed_capabilities_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (allowedCapabilities)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_capabilities.yaml + trace_file: trace_files/psp/capability_add_sys_time.json + + allowed_capabilities_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_capabilities.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + allowed_capabilities_match: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_capabilities.yaml + trace_file: trace_files/psp/capability_add_sys_nice.json + + allowed_proc_mount_types_detect: + detect: True + detect_level: WARNING + detect_counts: + - "PSP Violation (allowedProcMountTypes)": 1 + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_proc_mount_types.yaml + trace_file: trace_files/psp/proc_mount_type_unmasked.json + + allowed_proc_mount_types_no_detect: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_proc_mount_types.yaml + trace_file: trace_files/psp/create_vanilla_nginx_deployment.json + + allowed_proc_mount_types_match: + detect: False + rules_file: [] + conf_file: confs/psp.yaml + psp_file: psps/allowed_proc_mount_types.yaml + trace_file: trace_files/psp/proc_mount_type_default.json \ No newline at end of file diff --git a/test/psps/allowed_capabilities.yaml b/test/psps/allowed_capabilities.yaml new file mode 100644 index 00000000..4c6be88d --- /dev/null +++ b/test/psps/allowed_capabilities.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: allow_capability_sys_nice +spec: + allowedCapabilities: + - SYS_NICE + diff --git a/test/psps/allowed_host_paths.yaml b/test/psps/allowed_host_paths.yaml new file mode 100644 index 00000000..79ab0224 --- /dev/null +++ b/test/psps/allowed_host_paths.yaml @@ -0,0 +1,11 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: only_mount_host_usr +spec: + allowedHostPaths: + - pathPrefix: /usr + readOnly: true + diff --git a/test/psps/allowed_proc_mount_types.yaml b/test/psps/allowed_proc_mount_types.yaml new file mode 100644 index 00000000..d35e575c --- /dev/null +++ b/test/psps/allowed_proc_mount_types.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: allow_default_proc_mount_type +spec: + allowedProcMountTypes: + - Default + diff --git a/test/psps/flex_volumes.yaml b/test/psps/flex_volumes.yaml new file mode 100644 index 00000000..cbfd7f17 --- /dev/null +++ b/test/psps/flex_volumes.yaml @@ -0,0 +1,13 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: only_lvm_cifs_flex_volumes +spec: + volumes: + - flexVolume + allowedFlexVolumes: + - driver: example/lvm + - driver: example/cifs + diff --git a/test/psps/fs_group_may_run_as.yaml b/test/psps/fs_group_may_run_as.yaml new file mode 100644 index 00000000..7a954296 --- /dev/null +++ b/test/psps/fs_group_may_run_as.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: fs_group_may_run_as_30 +spec: + fsGroup: + rule: "MayRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/fs_group_must_run_as.yaml b/test/psps/fs_group_must_run_as.yaml new file mode 100644 index 00000000..304dda72 --- /dev/null +++ b/test/psps/fs_group_must_run_as.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: fs_group_must_run_as_30 +spec: + fsGroup: + rule: "MustRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/fs_group_run_as_any.yaml b/test/psps/fs_group_run_as_any.yaml new file mode 100644 index 00000000..ecd2d4ae --- /dev/null +++ b/test/psps/fs_group_run_as_any.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: fs_group_run_as_any +spec: + fsGroup: + rule: "RunAsAny" + diff --git a/test/psps/group_may_run_as.yaml b/test/psps/group_may_run_as.yaml new file mode 100644 index 00000000..c903dd6d --- /dev/null +++ b/test/psps/group_may_run_as.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: group_may_run_as_30 +spec: + runAsGroup: + rule: "MayRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/group_must_run_as.yaml b/test/psps/group_must_run_as.yaml new file mode 100644 index 00000000..8bf32573 --- /dev/null +++ b/test/psps/group_must_run_as.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: group_must_run_as_30 +spec: + runAsGroup: + rule: "MustRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/host_ipc.yaml b/test/psps/host_ipc.yaml new file mode 100644 index 00000000..6010a507 --- /dev/null +++ b/test/psps/host_ipc.yaml @@ -0,0 +1,8 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: no_host_ipc +spec: + hostIPC: false diff --git a/test/psps/host_network.yaml b/test/psps/host_network.yaml new file mode 100644 index 00000000..b420f9b0 --- /dev/null +++ b/test/psps/host_network.yaml @@ -0,0 +1,8 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: no_host_network +spec: + hostNetwork: false diff --git a/test/psps/host_network_ports.yaml b/test/psps/host_network_ports.yaml new file mode 100644 index 00000000..ab082485 --- /dev/null +++ b/test/psps/host_network_ports.yaml @@ -0,0 +1,11 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: host_ports_100_200_only +spec: + hostNetwork: true + hostPorts: + - min: 100 + max: 200 diff --git a/test/psps/host_pid.yaml b/test/psps/host_pid.yaml new file mode 100644 index 00000000..be4d614b --- /dev/null +++ b/test/psps/host_pid.yaml @@ -0,0 +1,8 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: no_host_pid +spec: + hostPID: false diff --git a/test/psps/privilege_escalation.yaml b/test/psps/privilege_escalation.yaml new file mode 100644 index 00000000..04ea6282 --- /dev/null +++ b/test/psps/privilege_escalation.yaml @@ -0,0 +1,8 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: no_privileged +spec: + allowPrivilegeEscalation: false diff --git a/test/psps/privileged.yaml b/test/psps/privileged.yaml new file mode 100644 index 00000000..d6ae4c93 --- /dev/null +++ b/test/psps/privileged.yaml @@ -0,0 +1,8 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: no_privileged +spec: + privileged: false diff --git a/test/psps/read_only_root_fs.yaml b/test/psps/read_only_root_fs.yaml new file mode 100644 index 00000000..4a6412e1 --- /dev/null +++ b/test/psps/read_only_root_fs.yaml @@ -0,0 +1,8 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: read_only_root_fs +spec: + readOnlyRootFilesystem: true diff --git a/test/psps/supplemental_groups_may_run_as_10_20.yaml b/test/psps/supplemental_groups_may_run_as_10_20.yaml new file mode 100644 index 00000000..12f83638 --- /dev/null +++ b/test/psps/supplemental_groups_may_run_as_10_20.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_may_run_as_10 +spec: + supplementalGroups: + rule: "MayRunAs" + ranges: + - min: 10 + max: 20 diff --git a/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml b/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml new file mode 100644 index 00000000..e7efe913 --- /dev/null +++ b/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_may_run_as_30 +spec: + supplementalGroups: + rule: "MayRunAs" + ranges: + - min: 10 + max: 40 + - min: 10 + max: 20 diff --git a/test/psps/supplemental_groups_may_run_as_30_40.yaml b/test/psps/supplemental_groups_may_run_as_30_40.yaml new file mode 100644 index 00000000..039d3e16 --- /dev/null +++ b/test/psps/supplemental_groups_may_run_as_30_40.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_may_run_as_30 +spec: + supplementalGroups: + rule: "MayRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml b/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml new file mode 100644 index 00000000..95b3e26a --- /dev/null +++ b/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_may_run_as_30 +spec: + supplementalGroups: + rule: "MayRunAs" + ranges: + - min: 30 + max: 40 + - min: 10 + max: 15 diff --git a/test/psps/supplemental_groups_must_run_as_10_20.yaml b/test/psps/supplemental_groups_must_run_as_10_20.yaml new file mode 100644 index 00000000..6655fc45 --- /dev/null +++ b/test/psps/supplemental_groups_must_run_as_10_20.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_must_run_as_10 +spec: + supplementalGroups: + rule: "MustRunAs" + ranges: + - min: 10 + max: 20 diff --git a/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml b/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml new file mode 100644 index 00000000..cdc96a0c --- /dev/null +++ b/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_must_run_as_30 +spec: + supplementalGroups: + rule: "MustRunAs" + ranges: + - min: 10 + max: 40 + - min: 10 + max: 20 diff --git a/test/psps/supplemental_groups_must_run_as_30_40.yaml b/test/psps/supplemental_groups_must_run_as_30_40.yaml new file mode 100644 index 00000000..20c1cd2f --- /dev/null +++ b/test/psps/supplemental_groups_must_run_as_30_40.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_must_run_as_30 +spec: + supplementalGroups: + rule: "MustRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml b/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml new file mode 100644 index 00000000..5f7edfec --- /dev/null +++ b/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: supplemental_groups_must_run_as_30 +spec: + supplementalGroups: + rule: "MustRunAs" + ranges: + - min: 30 + max: 40 + - min: 10 + max: 15 diff --git a/test/psps/user_must_run_as.yaml b/test/psps/user_must_run_as.yaml new file mode 100644 index 00000000..9322eeb9 --- /dev/null +++ b/test/psps/user_must_run_as.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: user_must_run_as_30 +spec: + runAsUser: + rule: "MustRunAs" + ranges: + - min: 30 + max: 40 diff --git a/test/psps/user_must_run_as_non_root.yaml b/test/psps/user_must_run_as_non_root.yaml new file mode 100644 index 00000000..bbb333e0 --- /dev/null +++ b/test/psps/user_must_run_as_non_root.yaml @@ -0,0 +1,9 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: user_must_run_as_non_root +spec: + runAsUser: + rule: "MustRunAsNonRoot" diff --git a/test/psps/volumes.yaml b/test/psps/volumes.yaml new file mode 100644 index 00000000..f218fcf9 --- /dev/null +++ b/test/psps/volumes.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + falco-rules-psp-images: "[nginx]" + name: only_secret_volumes +spec: + volumes: + - secret + diff --git a/test/rules/k8s_audit/allow_nginx_container.yaml b/test/rules/k8s_audit/allow_nginx_container.yaml index 3654647c..0a8ba6a2 100644 --- a/test/rules/k8s_audit/allow_nginx_container.yaml +++ b/test/rules/k8s_audit/allow_nginx_container.yaml @@ -1,3 +1,3 @@ - macro: allowed_k8s_containers - condition: (ka.req.container.image.repository=nginx) + condition: (ka.req.pod.containers.image.repository in (nginx)) diff --git a/test/rules/k8s_audit/allow_only_apache_container.yaml b/test/rules/k8s_audit/allow_only_apache_container.yaml index 906b6086..30ffffb4 100644 --- a/test/rules/k8s_audit/allow_only_apache_container.yaml +++ b/test/rules/k8s_audit/allow_only_apache_container.yaml @@ -1,3 +1,3 @@ - macro: allowed_k8s_containers - condition: (ka.req.container.image.repository=apache) + condition: (ka.req.pod.containers.image.repository in (apache)) diff --git a/test/run_regression_tests.sh b/test/run_regression_tests.sh index 4cda3626..b23be708 100755 --- a/test/run_regression_tests.sh +++ b/test/run_regression_tests.sh @@ -88,7 +88,7 @@ function run_tests() { # return status when running avocado. set +e TEST_RC=0 - for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml; do + for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py" echo "Running: $CMD" BUILD_DIR=${BUILD_DIR} $CMD diff --git a/test/trace_files/CMakeLists.txt b/test/trace_files/CMakeLists.txt index b6ede4ec..d7da51cc 100644 --- a/test/trace_files/CMakeLists.txt +++ b/test/trace_files/CMakeLists.txt @@ -1,4 +1,5 @@ add_subdirectory(k8s_audit) +add_subdirectory(psp) # Note: list of traces is created at cmake time, not build time file(GLOB test_trace_files "${CMAKE_CURRENT_SOURCE_DIR}/*.scap") diff --git a/test/trace_files/psp/CMakeLists.txt b/test/trace_files/psp/CMakeLists.txt new file mode 100644 index 00000000..879d292a --- /dev/null +++ b/test/trace_files/psp/CMakeLists.txt @@ -0,0 +1,13 @@ +# Note: list of traces is created at cmake time, not build time +file(GLOB test_trace_files + "${CMAKE_CURRENT_SOURCE_DIR}/*.json" + "${CMAKE_CURRENT_SOURCE_DIR}/*.scap") + +foreach(trace_file_path ${test_trace_files}) + get_filename_component(trace_file ${trace_file_path} NAME) + add_custom_target(test-trace-${trace_file} ALL + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}) + add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file} + COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file} + DEPENDS ${trace_file_path}) +endforeach() diff --git a/test/trace_files/psp/capability_add_sys_nice.json b/test/trace_files/psp/capability_add_sys_nice.json new file mode 100644 index 00000000..347afaa5 --- /dev/null +++ b/test/trace_files/psp/capability_add_sys_nice.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/capability_add_sys_time.json b/test/trace_files/psp/capability_add_sys_time.json new file mode 100644 index 00000000..a024c195 --- /dev/null +++ b/test/trace_files/psp/capability_add_sys_time.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/create_vanilla_nginx_deployment.json b/test/trace_files/psp/create_vanilla_nginx_deployment.json new file mode 100644 index 00000000..e09eaffe --- /dev/null +++ b/test/trace_files/psp/create_vanilla_nginx_deployment.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:49Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:49Z","auditID":"7c8b2603-6a87-4764-b166-49dd7fa46f4c","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78f5d695bd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78f5d695bd-nxqz5","generateName":"nginx-deployment-78f5d695bd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78f5d695bd-nxqz5","uid":"a2ad81ba-d85f-11e8-88b6-080027728ac4","resourceVersion":"237324","creationTimestamp":"2018-10-25T14:09:49Z","labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:49.750328Z","stageTimestamp":"2018-10-25T14:09:49.761315Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/flex_volumes.json b/test/trace_files/psp/flex_volumes.json new file mode 100644 index 00000000..c6f73485 --- /dev/null +++ b/test/trace_files/psp/flex_volumes.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"68be6685-eca7-462a-ab53-ae65960ba638","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5575fc4cfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5575fc4cfd-95vmv","generateName":"nginx-deployment-5575fc4cfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5575fc4cfd-95vmv","uid":"bbde0eec-9459-11e9-9dc6-080027cac2d9","resourceVersion":"7185","creationTimestamp":"2019-06-21T19:21:13Z","labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}},{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"},{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T19:21:13.637829Z","stageTimestamp":"2019-06-21T19:21:13.648070Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} \ No newline at end of file diff --git a/test/trace_files/psp/fs_group.json b/test/trace_files/psp/fs_group.json new file mode 100644 index 00000000..e45c5a37 --- /dev/null +++ b/test/trace_files/psp/fs_group.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"80e45c71-0618-4e6a-af42-fa13b83f8d03","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6fc66bd775-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6fc66bd775-z6txl","generateName":"nginx-deployment-6fc66bd775-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6fc66bd775-z6txl","uid":"90c2433c-9462-11e9-9dc6-080027cac2d9","resourceVersion":"8201","creationTimestamp":"2019-06-21T20:24:26Z","labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T20:24:26.783217Z","stageTimestamp":"2019-06-21T20:24:26.790787Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/host_ipc.json b/test/trace_files/psp/host_ipc.json new file mode 100644 index 00000000..d0add7a5 --- /dev/null +++ b/test/trace_files/psp/host_ipc.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"e2c061fc-7b81-4e1e-b1d2-a54b5ee93920","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-755c58cb7c-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-755c58cb7c-vrx4n","generateName":"nginx-deployment-755c58cb7c-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-755c58cb7c-vrx4n","uid":"cd67586f-9232-11e9-b061-08002760e39e","resourceVersion":"1628","creationTimestamp":"2019-06-19T01:37:30Z","labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:37:30.360992Z","stageTimestamp":"2019-06-19T01:37:30.365019Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/host_network.json b/test/trace_files/psp/host_network.json new file mode 100644 index 00000000..a0f687c1 --- /dev/null +++ b/test/trace_files/psp/host_network.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"f7c424ca-5028-4e01-9d95-199caaae240d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5dc5447c47-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5dc5447c47-fp5m4","generateName":"nginx-deployment-5dc5447c47-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5dc5447c47-fp5m4","uid":"3558a533-944d-11e9-993f-080027cac2d9","resourceVersion":"619","creationTimestamp":"2019-06-21T17:51:33Z","labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T17:51:33.989119Z","stageTimestamp":"2019-06-21T17:51:33.994788Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/host_network_ports.json b/test/trace_files/psp/host_network_ports.json new file mode 100644 index 00000000..ec33a5b1 --- /dev/null +++ b/test/trace_files/psp/host_network_ports.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"ff8f799f-6d31-43e8-a55c-95497daca0f2","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-84ffbbb976-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-84ffbbb976-5tnlg","generateName":"nginx-deployment-84ffbbb976-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-84ffbbb976-5tnlg","uid":"87447a8c-944f-11e9-993f-080027cac2d9","resourceVersion":"1841","creationTimestamp":"2019-06-21T18:08:10Z","labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T18:08:10.423301Z","stageTimestamp":"2019-06-21T18:08:10.432566Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/host_pid.json b/test/trace_files/psp/host_pid.json new file mode 100644 index 00000000..3aa0a07b --- /dev/null +++ b/test/trace_files/psp/host_pid.json @@ -0,0 +1,2 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"3df89bb7-9071-4f0c-afab-339ebec678c0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6c6f946f-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6c6f946f-9c727","generateName":"nginx-deployment-6c6f946f-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6c6f946f-9c727","uid":"db5df1e0-9230-11e9-b061-08002760e39e","resourceVersion":"597","creationTimestamp":"2019-06-19T01:23:34Z","labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:23:34.789147Z","stageTimestamp":"2019-06-19T01:23:34.798230Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} + diff --git a/test/trace_files/psp/mount_etc_using_host_path.json b/test/trace_files/psp/mount_etc_using_host_path.json new file mode 100644 index 00000000..a7889db1 --- /dev/null +++ b/test/trace_files/psp/mount_etc_using_host_path.json @@ -0,0 +1 @@ +{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"e456c9cf-9abe-4fa1-8526-e014da96821b","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30,"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"}]},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:36:11.686139Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z","generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"name":"nginx-deployment-7d5b5dd9cf-t8ngb","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}],"resourceVersion":"245060","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-7d5b5dd9cf-t8ngb","uid":"76e27404-d87c-11e8-88b6-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"},{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"},{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:36:11.693676Z","timestamp":"2018-10-25T17:36:11Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"} diff --git a/test/trace_files/psp/privilege_escalation.json b/test/trace_files/psp/privilege_escalation.json new file mode 100644 index 00000000..df56acca --- /dev/null +++ b/test/trace_files/psp/privilege_escalation.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"eaf82da5-32c1-4acf-83f1-6da93c5242f0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78d8d6bdfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78d8d6bdfd-tps4s","generateName":"nginx-deployment-78d8d6bdfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78d8d6bdfd-tps4s","uid":"550fa465-986c-11e9-81be-080027f777c0","resourceVersion":"15688","creationTimestamp":"2019-06-26T23:44:26Z","labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T23:44:26.246566Z","stageTimestamp":"2019-06-26T23:44:26.252565Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/privileged.json b/test/trace_files/psp/privileged.json new file mode 100644 index 00000000..f1ad92a0 --- /dev/null +++ b/test/trace_files/psp/privileged.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:12Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:12Z","auditID":"a362d22b-db3c-4590-9505-23782f12925f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5cdcc99dbf-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5cdcc99dbf-rgw6z","generateName":"nginx-deployment-5cdcc99dbf-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5cdcc99dbf-rgw6z","uid":"8c845395-d85f-11e8-88b6-080027728ac4","resourceVersion":"237252","creationTimestamp":"2018-10-25T14:09:12Z","labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:12.572676Z","stageTimestamp":"2018-10-25T14:09:12.581541Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/privileged.scap b/test/trace_files/psp/privileged.scap new file mode 100644 index 00000000..c554277f Binary files /dev/null and b/test/trace_files/psp/privileged.scap differ diff --git a/test/trace_files/psp/proc_mount_type_default.json b/test/trace_files/psp/proc_mount_type_default.json new file mode 100644 index 00000000..52f82509 --- /dev/null +++ b/test/trace_files/psp/proc_mount_type_default.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"bda8604a-87cf-4b49-8f2e-48d47c4e1840","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-9c6775499-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-9c6775499-glf7l","generateName":"nginx-deployment-9c6775499-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-9c6775499-glf7l","uid":"abd68488-9874-11e9-81be-080027f777c0","resourceVersion":"20036","creationTimestamp":"2019-06-27T00:44:07Z","labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:44:07.805965Z","stageTimestamp":"2019-06-27T00:44:07.813584Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/proc_mount_type_unmasked.json b/test/trace_files/psp/proc_mount_type_unmasked.json new file mode 100644 index 00000000..71a25f7c --- /dev/null +++ b/test/trace_files/psp/proc_mount_type_unmasked.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"bda8604a-87cf-4b49-8f2e-48d47c4e1840","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-9c6775499-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Unmasked"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-9c6775499-glf7l","generateName":"nginx-deployment-9c6775499-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-9c6775499-glf7l","uid":"abd68488-9874-11e9-81be-080027f777c0","resourceVersion":"20036","creationTimestamp":"2019-06-27T00:44:07Z","labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Unmasked"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:44:07.805965Z","stageTimestamp":"2019-06-27T00:44:07.813584Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/read_only_root_fs.json b/test/trace_files/psp/read_only_root_fs.json new file mode 100644 index 00000000..93d67c66 --- /dev/null +++ b/test/trace_files/psp/read_only_root_fs.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"cbcb4206-450e-492c-a44c-26ba811965ca","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-8f966b568-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"8f966b568"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-8f966b568","uid":"30325696-9477-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"readOnlyRootFilesystem":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-8f966b568-ph7gk","generateName":"nginx-deployment-8f966b568-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-8f966b568-ph7gk","uid":"30371f6c-9477-11e9-9dc6-080027cac2d9","resourceVersion":"18855","creationTimestamp":"2019-06-21T22:52:04Z","labels":{"app":"nginx","pod-template-hash":"8f966b568"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-8f966b568","uid":"30325696-9477-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"readOnlyRootFilesystem":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T22:52:04.226660Z","stageTimestamp":"2019-06-21T22:52:04.248318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_group_1000_container.json b/test/trace_files/psp/run_as_group_1000_container.json new file mode 100644 index 00000000..6b1dfae8 --- /dev/null +++ b/test/trace_files/psp/run_as_group_1000_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_group_1000_sec_ctx.json b/test/trace_files/psp/run_as_group_1000_sec_ctx.json new file mode 100644 index 00000000..b26cb9e1 --- /dev/null +++ b/test/trace_files/psp/run_as_group_1000_sec_ctx.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json b/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json new file mode 100644 index 00000000..1d9aa05c --- /dev/null +++ b/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_group_30_container.json b/test/trace_files/psp/run_as_group_30_container.json new file mode 100644 index 00000000..302c021d --- /dev/null +++ b/test/trace_files/psp/run_as_group_30_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_group_30_sec_ctx.json b/test/trace_files/psp/run_as_group_30_sec_ctx.json new file mode 100644 index 00000000..8b6cd5dc --- /dev/null +++ b/test/trace_files/psp/run_as_group_30_sec_ctx.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json b/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json new file mode 100644 index 00000000..68834bc8 --- /dev/null +++ b/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_0_container.json b/test/trace_files/psp/run_as_user_0_container.json new file mode 100644 index 00000000..0a42ee41 --- /dev/null +++ b/test/trace_files/psp/run_as_user_0_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39b4acbc-9e5c-451d-a106-104d6be5c87f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-86847998c8-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"86847998c8"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-86847998c8","uid":"eec53a01-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-86847998c8-8r7lr","generateName":"nginx-deployment-86847998c8-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-86847998c8-8r7lr","uid":"eec6db0e-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20888","creationTimestamp":"2019-06-21T23:18:52Z","labels":{"app":"nginx","pod-template-hash":"86847998c8"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-86847998c8","uid":"eec53a01-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:52.443785Z","stageTimestamp":"2019-06-21T23:18:52.447067Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_0_container.scap b/test/trace_files/psp/run_as_user_0_container.scap new file mode 100644 index 00000000..641c4c5f Binary files /dev/null and b/test/trace_files/psp/run_as_user_0_container.scap differ diff --git a/test/trace_files/psp/run_as_user_0_sec_ctx.json b/test/trace_files/psp/run_as_user_0_sec_ctx.json new file mode 100644 index 00000000..e60ec631 --- /dev/null +++ b/test/trace_files/psp/run_as_user_0_sec_ctx.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json b/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json new file mode 100644 index 00000000..144dbe37 --- /dev/null +++ b/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_1000_container.json b/test/trace_files/psp/run_as_user_1000_container.json new file mode 100644 index 00000000..f9d66378 --- /dev/null +++ b/test/trace_files/psp/run_as_user_1000_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_1000_sec_ctx.json b/test/trace_files/psp/run_as_user_1000_sec_ctx.json new file mode 100644 index 00000000..807f8220 --- /dev/null +++ b/test/trace_files/psp/run_as_user_1000_sec_ctx.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json b/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json new file mode 100644 index 00000000..13dc6c73 --- /dev/null +++ b/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json b/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json new file mode 100644 index 00000000..ce599b7f --- /dev/null +++ b/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_30_container.json b/test/trace_files/psp/run_as_user_30_container.json new file mode 100644 index 00000000..4a694c49 --- /dev/null +++ b/test/trace_files/psp/run_as_user_30_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_30_sec_ctx.json b/test/trace_files/psp/run_as_user_30_sec_ctx.json new file mode 100644 index 00000000..7fd00631 --- /dev/null +++ b/test/trace_files/psp/run_as_user_30_sec_ctx.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json b/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json new file mode 100644 index 00000000..7330a060 --- /dev/null +++ b/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/run_as_user_65534_container.scap b/test/trace_files/psp/run_as_user_65534_container.scap new file mode 100644 index 00000000..63e58a10 Binary files /dev/null and b/test/trace_files/psp/run_as_user_65534_container.scap differ diff --git a/test/trace_files/psp/supplemental_groups_10_20.json b/test/trace_files/psp/supplemental_groups_10_20.json new file mode 100644 index 00000000..9ed500d6 --- /dev/null +++ b/test/trace_files/psp/supplemental_groups_10_20.json @@ -0,0 +1 @@ +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"65d26113-ac3c-4ebf-adeb-f7fd0ea907e8","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-b5fb9558-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"b5fb9558"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-b5fb9558","uid":"163b431e-985e-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"supplementalGroups":[10,20]},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-b5fb9558-pt6w2","generateName":"nginx-deployment-b5fb9558-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-b5fb9558-pt6w2","uid":"163e15d9-985e-11e9-81be-080027f777c0","resourceVersion":"8322","creationTimestamp":"2019-06-26T22:02:27Z","labels":{"app":"nginx","pod-template-hash":"b5fb9558"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-b5fb9558","uid":"163b431e-985e-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"supplementalGroups":[10,20]},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T22:02:27.900555Z","stageTimestamp":"2019-06-26T22:02:27.908051Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}} diff --git a/test/trace_files/psp/write_tmp_test.scap b/test/trace_files/psp/write_tmp_test.scap new file mode 100644 index 00000000..caaa73cb Binary files /dev/null and b/test/trace_files/psp/write_tmp_test.scap differ