From f14b37984c13cc00b00a0dcdb8fde81364ea3201 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 5 Apr 2021 16:15:04 -0700 Subject: [PATCH] Add test for some containers being privileged Add a test that verifies that a pod where one container has no security context and the second container has a security context + privileged properly matches the Create Privileged Pod falco rule. There's a very similar test case already in trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json, but in that case both containers have a securityContext property. Signed-off-by: Mark Stemm --- test/falco_k8s_audit_tests.yaml | 10 ++++++++++ ..._secctx_1st_container_privileged_2nd_container.json | 1 + 2 files changed, 11 insertions(+) create mode 100644 test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml index 285b9690..2866e991 100644 --- a/test/falco_k8s_audit_tests.yaml +++ b/test/falco_k8s_audit_tests.yaml @@ -128,6 +128,16 @@ trace_files: !mux - Create Privileged Pod: 1 trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json + create_privileged_no_secctx_1st_container_2nd_container_pod: + detect: True + detect_level: WARNING + rules_file: + - ../rules/falco_rules.yaml + - ../rules/k8s_audit_rules.yaml + detect_counts: + - Create Privileged Pod: 1 + trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json + create_privileged_2nd_container_pod: detect: True detect_level: WARNING diff --git a/test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json b/test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json new file mode 100644 index 00000000..5b34c07e --- /dev/null +++ b/test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json @@ -0,0 +1 @@ +{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"f83ecd50-5bf4-4fe7-a419-dea22852ca49","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:53:07Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:53:06.995407Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:53:06Z","generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"name":"nginx-deployment-544b59f8b8-ffkxm","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}],"resourceVersion":"246302","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-544b59f8b8-ffkxm","uid":"d40dfcd7-d87e-11e8-a473-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"securityContext":{"privileged":false},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:53:07.006845Z","timestamp":"2018-10-25T17:53:06Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}