From 02f1550261dbcc968620c13d154aeb797c4d1fa3 Mon Sep 17 00:00:00 2001 From: Philip Gough Date: Wed, 19 Jan 2022 15:04:31 +0000 Subject: [PATCH 1/3] ci: Add exceptions for node-exporter to kubescape config --- kubescape-exceptions.json | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 kubescape-exceptions.json diff --git a/kubescape-exceptions.json b/kubescape-exceptions.json new file mode 100644 index 00000000..11ae8186 --- /dev/null +++ b/kubescape-exceptions.json @@ -0,0 +1,29 @@ +[ + { + "name": "exclude-node-exporter-host-access-checks", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "node-exporter" + } + } + ], + "posturePolicies": [ + { + "controlName": "Container hostPort" + }, + { + "controlName": "Host PID/IPC privileges" + }, + { + "controlName": "HostNetwork access" + } + ] + } +] \ No newline at end of file From b92465034420a9f8976d8490c3f9f79fb52e9635 Mon Sep 17 00:00:00 2001 From: Philip Gough Date: Wed, 19 Jan 2022 15:06:15 +0000 Subject: [PATCH 2/3] docs: Add details about security scanning of manifests and exceptions --- README.md | 1 + docs/security.md | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 docs/security.md diff --git a/README.md b/README.md index 03ef98db..e65bc809 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ If you are migrating from `release-0.7` branch or earlier please read [what chan - [Customization Examples](#customization-examples) - [Minikube Example](#minikube-example) - [Continuous Delivery](#continuous-delivery) + - [Security](docs/security.md) - [Troubleshooting](#troubleshooting) - [Error retrieving kubelet metrics](#error-retrieving-kubelet-metrics) - [Authentication problem](#authentication-problem) diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 00000000..0de52547 --- /dev/null +++ b/docs/security.md @@ -0,0 +1,11 @@ +## Security + +The manifests generated in this repository are subject to a security audit in CI via [kubescape](https://github.com/armosec/kubescape). +The scan can be run locally via `make kubescape`. + +While we aim for best practices in terms of security by default, due to the nature of the project, we are required to make the exceptions in the following components: + +#### node-exporter +* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet. +* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics. +* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics. From 586fc87b81f71bdf64248861efa015f42e418453 Mon Sep 17 00:00:00 2001 From: Philip Gough Date: Wed, 19 Jan 2022 15:06:45 +0000 Subject: [PATCH 3/3] make: Lower the threshold for the security scan to account for documented exceptions --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d3282939..f5310b3c 100644 --- a/Makefile +++ b/Makefile @@ -65,8 +65,8 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN) $(KUBECONFORM_BIN) -kubernetes-version $(KUBE_VERSION) -schema-location 'default' -schema-location 'crdschemas/{{ .ResourceKind }}.json' -skip CustomResourceDefinition manifests/ .PHONY: kubescape -kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above 40% - $(KUBESCAPE_BIN) scan -s framework -t 30 nsa manifests/*.yaml +kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't' + $(KUBESCAPE_BIN) scan -s framework -t 25 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json' .PHONY: fmt fmt: $(JSONNETFMT_BIN)