Add overrides for hostpath, seccomp, and capabilities checks

This commit is contained in:
Tim Allclair 2022-01-21 17:20:03 -08:00
parent 305e0b1210
commit 928448dd36
10 changed files with 22 additions and 13 deletions

View File

@ -41,11 +41,13 @@ func init() {
addCheck(CheckCapabilitiesBaseline)
}
const checkCapabilitiesBaselineID CheckID = "capabilities_baseline"
// CheckCapabilitiesBaseline returns a baseline level check
// that limits the capabilities that can be added in 1.0+
func CheckCapabilitiesBaseline() Check {
return Check{
ID: "capabilities_baseline",
ID: checkCapabilitiesBaselineID,
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{

View File

@ -62,8 +62,9 @@ func CheckCapabilitiesRestricted() Check {
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 22),
CheckPod: capabilitiesRestricted_1_22,
MinimumVersion: api.MajorMinorVersion(1, 22),
CheckPod: capabilitiesRestricted_1_22,
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
},
},
}

View File

@ -38,11 +38,13 @@ func init() {
addCheck(CheckHostPathVolumes)
}
const checkHostPathVolumesID CheckID = "hostPathVolumes"
// CheckHostPathVolumes returns a baseline level check
// that requires hostPath=undefined/null in 1.0+
func CheckHostPathVolumes() Check {
return Check{
ID: "hostPathVolumes",
ID: checkHostPathVolumesID,
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{

View File

@ -76,8 +76,9 @@ func CheckRestrictedVolumes() Check {
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: restrictedVolumes_1_0,
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: restrictedVolumes_1_0,
OverrideCheckIDs: []CheckID{checkHostPathVolumesID},
},
},
}

View File

@ -49,6 +49,8 @@ spec.initContainers[*].securityContext.seccompProfile.type
const (
annotationKeyPod = "seccomp.security.alpha.kubernetes.io/pod"
annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
checkSeccompBaselineID CheckID = "seccompProfile_baseline"
)
func init() {
@ -57,7 +59,7 @@ func init() {
func CheckSeccompBaseline() Check {
return Check{
ID: "seccompProfile_baseline",
ID: checkSeccompBaselineID,
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{

View File

@ -51,8 +51,9 @@ func CheckSeccompProfileRestricted() Check {
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 19),
CheckPod: seccompProfileRestricted_1_19,
MinimumVersion: api.MajorMinorVersion(1, 19),
CheckPod: seccompProfileRestricted_1_19,
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
},
},
}

View File

@ -36,7 +36,7 @@ func TestValidChecks(t *testing.T) {
for _, check := range allChecks {
for _, c := range check.Versions {
for _, override := range c.OverrideCheckIDs {
assert.Contains(t, allIDs, override, "check %s overrides non-existant check %s", check.ID, override)
assert.Contains(t, allIDs, override, "check %s overrides non-existent check %s", check.ID, override)
}
}
}

View File

@ -33,7 +33,7 @@ type Evaluator interface {
// checkRegistry provides a default implementation of an Evaluator.
type checkRegistry struct {
// The checks are a map policy verison to a slice of checks registered for that version.
// The checks are a map policy version to a slice of checks registered for that version.
baselineChecks, restrictedChecks map[api.Version][]CheckPodFn
// maxVersion is the maximum version that is cached, guaranteed to be at least
// the max MinimumVersion of all registered checks.

View File

@ -47,7 +47,7 @@ func ensureCapabilities(p *corev1.Pod) *corev1.Pod {
func init() {
fixtureData_1_0 := fixtureGenerator{
expectErrorSubstring: "non-default capabilities",
expectErrorSubstring: "capabilities",
generatePass: func(p *corev1.Pod) []*corev1.Pod {
// don't generate fixtures if minimal valid pod drops ALL
if p.Spec.Containers[0].SecurityContext != nil && p.Spec.Containers[0].SecurityContext.Capabilities != nil {

View File

@ -28,7 +28,7 @@ TODO: include field paths in reflect-based unit test
func init() {
fixtureData_1_0 := fixtureGenerator{
expectErrorSubstring: "hostPath volumes",
expectErrorSubstring: "hostPath",
generatePass: func(p *corev1.Pod) []*corev1.Pod {
// minimal valid pod already captures all valid combinations
return nil