From fd6f3b47759d74fd504adff0995570a1e569d065 Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Tue, 20 Jun 2023 19:08:14 -0300 Subject: [PATCH 1/2] bump marvin container tag to v0.2.0 --- charts/zora/README.md | 2 +- charts/zora/values.yaml | 2 +- config/samples/zora_v1alpha1_plugin_marvin.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/zora/README.md b/charts/zora/README.md index c5d0b867..851fc1bf 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -97,7 +97,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.marvin.enabled | bool | `true` | Specifies whether the marvin plugin should be created | | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | -| scan.plugins.marvin.image.tag | string | `"v0.1.6"` | marvin plugin image tag | +| scan.plugins.marvin.image.tag | string | `"v0.2.0"` | marvin plugin image tag | | scan.plugins.popeye.enabled | bool | `true` | Specifies whether the popeye plugin should be created | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 0ff286ff..406ca7ed 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -160,7 +160,7 @@ scan: # -- marvin plugin image repository repository: ghcr.io/undistro/marvin # -- marvin plugin image tag - tag: v0.1.6 + tag: v0.2.0 popeye: # -- Specifies whether the popeye plugin should be created diff --git a/config/samples/zora_v1alpha1_plugin_marvin.yaml b/config/samples/zora_v1alpha1_plugin_marvin.yaml index da0a1492..5ad538b1 100644 --- a/config/samples/zora_v1alpha1_plugin_marvin.yaml +++ b/config/samples/zora_v1alpha1_plugin_marvin.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/created-by: zora name: marvin spec: - image: ghcr.io/undistro/marvin:v0.1.6 + image: ghcr.io/undistro/marvin:v0.2.0 resources: limits: cpu: 500m From 9747fa0bf42c5d853217e5859cd6051143fec316 Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Tue, 20 Jun 2023 19:08:50 -0300 Subject: [PATCH 2/2] urls and categories for new marvin checks --- go.mod | 2 +- pkg/worker/report/marvin/parse.go | 29 +++++++----- pkg/worker/report/marvin/parse_test.go | 22 ++++++++++ .../report/marvin/testdata/httpbin.json | 44 +++++++++++++++++++ pkg/worker/report/marvin/urls.go | 23 +++++++++- 5 files changed, 105 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 85fcd7e8..18c10856 100644 --- a/go.mod +++ b/go.mod @@ -11,6 +11,7 @@ require ( github.com/undistro/marvin v0.1.6 go.uber.org/zap v1.24.0 k8s.io/api v0.26.3 + k8s.io/apiextensions-apiserver v0.26.1 k8s.io/apimachinery v0.26.3 k8s.io/client-go v0.26.3 k8s.io/metrics v0.26.3 @@ -69,7 +70,6 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.26.1 // indirect k8s.io/apiserver v0.26.3 // indirect k8s.io/component-base v0.26.3 // indirect k8s.io/klog/v2 v2.90.1 // indirect diff --git a/pkg/worker/report/marvin/parse.go b/pkg/worker/report/marvin/parse.go index c3fbdc31..7f514912 100644 --- a/pkg/worker/report/marvin/parse.go +++ b/pkg/worker/report/marvin/parse.go @@ -57,23 +57,28 @@ func clusterIssueSpec(report *marvin.Report, check *marvin.CheckResult) *v1alpha resources[gvr] = append(resources[gvr], obj) } } - custom := !check.Builtin - category := "Security" - if c, ok := check.Labels["category"]; ok && custom { - category = c - } - url := urls[check.ID] - if u, ok := check.Labels["url"]; ok && custom { - url = u - } return &v1alpha1.ClusterIssueSpec{ ID: check.ID, Message: check.Message, Severity: marvinToZoraSeverity[check.Severity], - Category: category, + Category: getCategory(check), Resources: resources, TotalResources: 0, - Url: url, - Custom: custom, + Url: getURL(check), + Custom: !check.Builtin, + } +} + +func getCategory(check *marvin.CheckResult) string { + if c, ok := check.Labels["category"]; ok && !check.Builtin { + return c + } + switch check.ID { + case "M-400", "M-401": + return "Best Practices" + case "M-402", "M-403", "M-404", "M-405", "M-406", "M-407": + return "Reliability" + default: + return "Security" } } diff --git a/pkg/worker/report/marvin/parse_test.go b/pkg/worker/report/marvin/parse_test.go index 1ea565ed..20622c81 100644 --- a/pkg/worker/report/marvin/parse_test.go +++ b/pkg/worker/report/marvin/parse_test.go @@ -36,6 +36,28 @@ func TestParse(t *testing.T) { name: "OK", filename: "httpbin.json", want: []*v1alpha1.ClusterIssueSpec{ + { + ID: "M-400", + Message: "Image tagged latest", + Severity: v1alpha1.SeverityMedium, + Category: "Best Practices", + Resources: map[string][]string{ + "apps/v1/deployments": {"httpbin/httpbin"}, + "apps/v1/replicasets": {"httpbin/httpbin-5978c9d878"}, + }, + Url: "https://kubernetes.io/docs/concepts/containers/images/#image-names", + }, + { + ID: "M-407", + Message: "CPU not limited", + Severity: v1alpha1.SeverityMedium, + Category: "Reliability", + Resources: map[string][]string{ + "apps/v1/deployments": {"httpbin/httpbin"}, + "apps/v1/replicasets": {"httpbin/httpbin-5978c9d878"}, + }, + Url: k8sResourcesURL, + }, { ID: "M-116", Message: "Not allowed added/dropped capabilities", diff --git a/pkg/worker/report/marvin/testdata/httpbin.json b/pkg/worker/report/marvin/testdata/httpbin.json index 67658c83..d43456c2 100644 --- a/pkg/worker/report/marvin/testdata/httpbin.json +++ b/pkg/worker/report/marvin/testdata/httpbin.json @@ -11,6 +11,50 @@ "platform": "linux/amd64" }, "checks": [ + { + "id": "M-400", + "message": "Image tagged latest", + "severity": "Medium", + "builtin": true, + "path": "general/M-400_image_tag_latest.yaml", + "status": "Failed", + "failed": { + "apps/v1/Deployment": [ + "httpbin/httpbin" + ], + "apps/v1/ReplicaSet": [ + "httpbin/httpbin-5978c9d878" + ] + }, + "passed": {}, + "skipped": {}, + "errors": [], + "totalFailed": 2, + "totalPassed": 0, + "totalSkipped": 0 + }, + { + "id": "M-407", + "message": "CPU not limited", + "severity": "Medium", + "builtin": true, + "path": "general/M-407_cpu_limit.yaml", + "status": "Failed", + "failed": { + "apps/v1/Deployment": [ + "httpbin/httpbin" + ], + "apps/v1/ReplicaSet": [ + "httpbin/httpbin-5978c9d878" + ] + }, + "passed": {}, + "skipped": {}, + "errors": [], + "totalFailed": 2, + "totalPassed": 0, + "totalSkipped": 0 + }, { "id": "M-116", "message": "Not allowed added/dropped capabilities", diff --git a/pkg/worker/report/marvin/urls.go b/pkg/worker/report/marvin/urls.go index 5b2b4806..724548ce 100644 --- a/pkg/worker/report/marvin/urls.go +++ b/pkg/worker/report/marvin/urls.go @@ -14,9 +14,12 @@ package marvin +import marvin "github.com/undistro/marvin/pkg/types" + const ( pssBaselineURL = "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" pssRestrictedURL = "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" + k8sResourcesURL = "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" ) var urls = map[string]string{ @@ -39,9 +42,25 @@ var urls = map[string]string{ "M-115": pssRestrictedURL, "M-116": pssRestrictedURL, - "M-300": "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF#page=50", - "M-201": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials%20in%20configuration%20files/", "M-202": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20Service%20Account%20Auto%20Mount/", "M-203": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20Running%20Management%20Interface%20on%20Containers/", + + "M-300": "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF#page=50", + + "M-400": "https://kubernetes.io/docs/concepts/containers/images/#image-names", + "M-401": "https://kubernetes.io/docs/concepts/configuration/overview/#naked-pods-vs-replicasets-deployments-and-jobs", + "M-402": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "M-403": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "M-404": k8sResourcesURL, + "M-405": k8sResourcesURL, + "M-406": k8sResourcesURL, + "M-407": k8sResourcesURL, +} + +func getURL(check *marvin.CheckResult) string { + if u, ok := check.Labels["url"]; ok && !check.Builtin { + return u + } + return urls[check.ID] }