Skip to content

15.IaC_Code_Analysis__Kubernetes_Manifests.md

Latest commit

 

History

History
314 lines (216 loc) · 4.98 KB

15.IaC_Code_Analysis__Kubernetes_Manifests.md

File metadata and controls

314 lines (216 loc) · 4.98 KB

IaC Code Analysis - Kubernetes Manifests

Common Kubernetes Manifests Security Issues

Running Containers as Root

securityContext:
  runAsUser: 0
securityContext:
  runAsUser: 1000  # Use a non-root user
  runAsNonRoot: true

Privileged Containers

securityContext:
  privileged: true
securityContext:
  privileged: false

Missing Read-Only Root Filesystem

securityContext:
  readOnlyRootFilesystem: false
securityContext:
  readOnlyRootFilesystem: true

Allowing Host Network and Host PID/IPC Access

hostNetwork: true
hostPID: true
hostIPC: true
hostNetwork: false
hostPID: false
hostIPC: false

Insecure Capabilities

securityContext:
  capabilities:
    add:
      - NET_ADMIN
securityContext:
  capabilities:
    drop:
      # Remove all unnecessary capabilities
      - ALL

Using Default Service Accounts

serviceAccountName: default
# Use a dedicated service account with minimal permissions
serviceAccountName: custom-sa

Missing Resource Requests and Limits

resources:
  requests:
    cpu: ""
    memory: ""
  limits:
    cpu: ""
    memory: ""
resources:
  requests:
    cpu: "100m"
    memory: "256Mi"
  limits:
    cpu: "500m"
    memory: "512Mi"

Hardcoded Secrets in Manifests

env:
  - name: DATABASE_PASSWORD
    value: "supersecretpassword"
env:
  - name: DATABASE_PASSWORD
    valueFrom:
      secretKeyRef:
        name: db-secret
        key: password

Lack of Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-traffic
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: trusted-app

Excessive Pod Capabilities

securityContext:
  allowPrivilegeEscalation: true
securityContext:
  allowPrivilegeEscalation: false

Using latest Image Tag

image: my-app:latest
# Use a specific, immutable tag
image: my-app:v1.0.0

Static Analysis for Kubernetes Manifests Using KubeLinter

- description: A regex specifying the required service account to match.
  name: serviceAccount
  negationAllowed: true
  regexAllowed: true
  required: true
  type: string
checks:
  include:
    - run-as-non-root
    - no-privileged-containers
  exclude:
    - dangling-service
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  metadata:
    annotations:
      ignore-check.kube-linter.io/privileged-container: "This container requires privileged mode for XYZ."
      ignore-check.kube-linter.io/run-as-non-root: "This container requires root access for ABC."
      [...]
# Export the Go URL to a variable
# Change the version number if needed
url=https://go.dev/dl/go1.24.1.linux-amd64.tar.gz

# Download the Go tarball
wget $url

# Extract the tarball to /usr/local
tar -C /usr/local -xzf go1.24.1.linux-amd64.tar.gz

# Add the Go binary to the PATH
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc

# Source the .bashrc file
source ~/.bashrc

# Remove the tarball
rm go1.24.1.linux-amd64.tar.gz

# Verify the installation
go version
# Export the Kube-linter version to a variable
export KUBE_LINTER_VERSION=v0.7.2

# Install Kube-linter using Go
go install \
    golang.stackrox.io/kube-linter/cmd/kube-linter@$KUBE_LINTER_VERSION

# Export the Kube-linter binary to the PATH
echo 'export PATH=$PATH:$(go env GOPATH)/bin' >> ~/.bashrc

# Source the .bashrc file
source ~/.bashrc
kube-linter lint $HOME/RestQR/deploy/kubernetes
/root/RestQR/deploy/kubernetes/menu-deployment.yaml: (object: <no namespace>/menu apps/v1, Kind=Deployment) container "menu" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)

/root/RestQR/deploy/kubernetes/menu-deployment.yaml: (object: <no namespace>/menu apps/v1, Kind=Deployment) container "menu" has cpu request 0 (check: unset-cpu-requirements, remediation: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)

[..truncated..]
apiVersion: apps/v1
kind: Deployment
[..truncated..]
spec:
  replicas: 1  
    [..truncated..]
    spec:
      containers:
      - name: menu  
        [..truncated..]
        # This is where the security context should be added              
        # Security Context for the container
        securityContext:
          # Set the container to run as a non-root user
          runAsNonRoot: true
          # Set the root filesystem to read-only
          readOnlyRootFilesystem: true
      [..truncated..]

Kubernetes Manifests Analysis Alternatives