Skip to content

Commit

Permalink
fix: Fix security context container bug
Browse files Browse the repository at this point in the history
  • Loading branch information
@dorukozturk
dorukozturk committed Sep 12, 2023
1 parent 5deb00a commit c294211
Show file tree
Hide file tree
Showing 19 changed files with 10,260 additions and 2 deletions.
14 changes: 12 additions & 2 deletions hardeneks/namespace_based/security/iam.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,21 +73,31 @@ class disable_run_as_root_user(Rule):

def check(self, namespaced_resources: NamespacedResources):

import pudb; pudb.set_trace()
offenders = []

for pod in namespaced_resources.pods:
security_context = pod.spec.security_context
containers = pod.spec.containers

if (
not security_context.run_as_group
and not security_context.run_as_user
):
offenders.append(pod)

for con in containers:
security_context = con.security_context
try:
run_as_group = security_context.run_as_group
run_as_user = security_context.run_as_user
except AttributeError:
offenders.append(pod)

self.result = Result(
status=True,
resource_type="Pod",
namespace=namespaced_resources.namespace,
)

if offenders:
self.result = Result(
status=False,
Expand Down
16 changes: 16 additions & 0 deletions tests/data/disable_run_as_root_user_container/bad.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
namespace: test-namespace
name: bad
spec:
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
runAsUser: 1000
runAsGroup: 3000
- name: sec-ctx-demo-2
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
1,903 changes: 1,903 additions & 0 deletions ...s/data/disable_run_as_root_user_container/cluster/cluster_role_bindings_api_response.json
View file

Large diffs are not rendered by default.

Loading

0 comments on commit c294211

Please sign in to comment.