Describe the solution you'd like
@vicenteherrera wrote a nice tool to statically check for Pod Security Standards levels. The tool uses the Pod Security Admission library from Kubernetes repository. https://github.com/vicenteherrera/psa-checker
Having this feature integrated into kubesec as a subcommand (something like kubesec psa-check) would be helpful for users as they could (e.g; in CI):
- first scan for security risk
- then validate in a second stage if the resource is compliant with the target PSA level
We could also consider adding some extra flags to kubesec scan with a new field in the output to do the previously mentioned in one stage:
Considering:
kubesec scan deploy.yaml --enable-psa-check --psa-level restricted
==> This would not break any existing usage as it is opt-in.
This could yield a result look like this
[
{
"object": "Deployment/nginx",
"valid": true,
"fileName": "deploy.yaml",
"message": "Passed with a score of 0 points",
"score": 0,
"scoring": {
"advise": [...]
},
"podSecurityAdmission": {
"level": "restricted",
"valid": false,
"message": "Deployment nginx-deployment\n PSS level restricted\n Check 8 failed: allowPrivilegeEscalation != false\n container \"nginx\" must set securityContext.allowPrivilegeEscalation=false\n Check 9 failed: unrestricted capabilities\n container \"nginx\" must set securityContext.capabilities.drop=[\"ALL\"]\n Check 11 failed: runAsNonRoot != true\n pod or container \"nginx\" must set securityContext.runAsNonRoot=true\n Check 13 failed: seccompProfile\n pod or container \"nginx\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\"\n"
}
}
]
Describe the solution you'd like
@vicenteherrera wrote a nice tool to statically check for Pod Security Standards levels. The tool uses the Pod Security Admission library from Kubernetes repository. https://github.com/vicenteherrera/psa-checker
Having this feature integrated into
kubesecas a subcommand (something likekubesec psa-check) would be helpful for users as they could (e.g; in CI):We could also consider adding some extra flags to
kubesec scanwith a new field in the output to do the previously mentioned in one stage:Considering:
==> This would not break any existing usage as it is opt-in.
This could yield a result look like this
[ { "object": "Deployment/nginx", "valid": true, "fileName": "deploy.yaml", "message": "Passed with a score of 0 points", "score": 0, "scoring": { "advise": [...] }, "podSecurityAdmission": { "level": "restricted", "valid": false, "message": "Deployment nginx-deployment\n PSS level restricted\n Check 8 failed: allowPrivilegeEscalation != false\n container \"nginx\" must set securityContext.allowPrivilegeEscalation=false\n Check 9 failed: unrestricted capabilities\n container \"nginx\" must set securityContext.capabilities.drop=[\"ALL\"]\n Check 11 failed: runAsNonRoot != true\n pod or container \"nginx\" must set securityContext.runAsNonRoot=true\n Check 13 failed: seccompProfile\n pod or container \"nginx\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\"\n" } } ]