GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → sysdiglabs → k8s-security-configwatch

sysdiglabs / k8s-security-configwatch

Licence: Apache-2.0 license
Git action to generate security lint report for Kubernetes workload YAML files on PR

Programming Languages

shell
77523 projects
Dockerfile
14818 projects

Labels

securityk8sgit-workflow

Projects that are alternatives of or similar to k8s-security-configwatch

git-open-pull
convert a github issue into a pull request
Stars: ✭ 51 (+88.89%)
Mutual labels:  git-workflow
Gitreflow
Reflow automatically creates pull requests, ensures the code review is approved, and squash merges finished branches to master with a great commit message template.
Stars: ✭ 1,488 (+5411.11%)
Mutual labels:  git-workflow
git-commands-workflows
🚀 All the git commands and workflows you need to know
Stars: ✭ 50 (+85.19%)
Mutual labels:  git-workflow
No-Nonsense-Github-Project
A 1 hour video series covering some fundamentals and basic usage of .Git and Github.
Stars: ✭ 62 (+129.63%)
Mutual labels:  git-workflow
git-emojis-hook
Simple git hook to provide strong guidelines for commit message with emojis
Stars: ✭ 46 (+70.37%)
Mutual labels:  git-workflow
run-if-changed
Run a command if a file changes via Git hooks
Stars: ✭ 25 (-7.41%)
Mutual labels:  git-workflow
git-workflow-zh
如何安全地使用 Git 的指导方案
Stars: ✭ 85 (+214.81%)
Mutual labels:  git-workflow
git-remind
Never forget to git commit and push
Stars: ✭ 86 (+218.52%)
Mutual labels:  git-workflow

Kubernetes Security Config Watch

This Git Action run security lint check against Kubernetes workloads in Git workflow (PR open, commit pushed etc.).

Inputs

sourceDir

Required The source directory for k8s workload yaml. (master branch)

targetDir

Required The target directory for k8s workload yaml. (PR branch)

Use Cases

  1. Integrate the k8s-security-lint action into the git workflow.
  2. Examine the following security attributes changes in k8s workload YAMLs in a PR:
  • Privileged
  • HostPID
  • HostIPC
  • HostNetwork
  • Capabilities
  • ReadOnlyRootFileSystem
  • RunAsUser (root/nonroot)
  • RunAsGroup (root/nonroot)
  • volume types
  1. Define your own criteria based on the lint result, for example:
  • Send lint report to slack channel if privileged mode is set to true
  • Fail the check on the PR if some host level namespaces are enabled. (hostNetwork etc.)
  • Assign extra reviewers (security architect/engineer) to the PR.

Example Usage in Git workflow

# checkout master branch
- uses: actions/checkout@v2
    with:
      ref: master
      path: master
# checkout PR branch
- uses: actions/checkout@v2
    with:
      path: candidate
      ref: ${{ github.event.pull_request.head.sha }}
# pass the yamls directory to k8s-privilege-check git action
- name: Kubernetes Security Lint
  uses: sysdiglabs/[email protected]
  with:
    sourceDir: '/master/yamls'
    targetDir: '/candidate/yamls'
# evaluate escalation report
- name: Post Privilege Check
  run: |
    echo ${{ toJSON(steps.k8s_privilege_check.outputs.escalation_report) }}
    # slack
    # or other git action like adding another reviewer

Outputs

escalation_report

{
  "total_source_workloads": 2,
  "total_target_workloads": 2,
  "total_source_images": 2,
  "total_target_images": 2,
  "escalation_count": 2,
  "reduction_count": 1,
  "escalations": [
    {
      "name": "nginx",
      "kind": "Pod",
      "namespace": "default",
      "file": "nginx.yaml"
    },
    {
      "name": "my-busybox",
      "kind": "Pod",
      "namespace": "psp-test",
      "file": "busy-box.yaml"
    }
  ],
  "reductions": [
    {
      "name": "my-busybox",
      "kind": "Pod",
      "namespace": "psp-test",
      "file": "busy-box.yaml"
    }
  ],
  "new_privileged": {
    "status": "Escalated",
    "previous": "false",
    "current": "true",
    "workloads": [
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml",
        "image": "kaizheh/nginx"
      }
    ],
    "workloads_count": 1
  },
  "removed_privileged": {
    "status": "Reduced",
    "previous": "true",
    "current": "false",
    "workloads": [
      {
        "name": "my-busybox",
        "kind": "Pod",
        "namespace": "psp-test",
        "file": "busy-box.yaml",
        "image": "busybox"
      }
    ],
    "workloads_count": 1
  },
  "new_hostIPC": {
    "status": "Escalated",
    "previous": "false",
    "current": "true",
    "workloads": [
      {
        "name": "my-busybox",
        "kind": "Pod",
        "namespace": "psp-test",
        "file": "busy-box.yaml"
      },
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml"
      }
    ],
    "workloads_count": 2
  },
  "removed_hostIPC": {
    "status": "Reduced",
    "previous": "true",
    "current": "false",
    "workloads": [],
    "workloads_count": 0
  },
  "new_hostNetwork": {
    "status": "Escalated",
    "previous": "false",
    "current": "true",
    "workloads": [
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml"
      }
    ],
    "workloads_count": 1
  },
  "removed_hostNetwork": {
    "status": "Reduced",
    "previous": "true",
    "current": "false",
    "workloads": [
      {
        "name": "my-busybox",
        "kind": "Pod",
        "namespace": "psp-test",
        "file": "busy-box.yaml"
      }
    ],
    "workloads_count": 1
  },
  "new_hostPID": {
    "status": "Escalated",
    "previous": "false",
    "current": "true",
    "workloads": [
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml"
      }
    ],
    "workloads_count": 1
  },
  "removed_hostPID": {
    "status": "Reduced",
    "previous": "true",
    "current": "false",
    "workloads": [
      {
        "name": "my-busybox",
        "kind": "Pod",
        "namespace": "psp-test",
        "file": "busy-box.yaml"
      }
    ],
    "workloads_count": 1
  },
  "new_volume_types": {
    "hostPath": {
      "status": "Escalated",
      "previous": "",
      "current": "hostPath",
      "workloads": [
        {
          "name": "nginx",
          "kind": "Pod",
          "namespace": "default",
          "file": "nginx.yaml"
        }
      ],
      "workloads_count": 1
    }
  },
  "removed_volume_types": {},
  "new_capabilities": {},
  "reduced_capabilities": {
    "SYS_ADMIN": {
      "status": "Reduced",
      "previous": "SYS_ADMIN",
      "current": "",
      "workloads": [
        {
          "name": "my-busybox",
          "kind": "Pod",
          "namespace": "psp-test",
          "file": "busy-box.yaml",
          "image": "busybox"
        }
      ],
      "workloads_count": 1
    },
    "SYS_CHROOT": {
      "status": "Reduced",
      "previous": "SYS_CHROOT",
      "current": "",
      "workloads": [
        {
          "name": "my-busybox",
          "kind": "Pod",
          "namespace": "psp-test",
          "file": "busy-box.yaml",
          "image": "busybox"
        }
      ],
      "workloads_count": 1
    }
  },
  "new_run_user_as_root": {
    "status": "Escalated",
    "previous": "non-root",
    "current": "root",
    "workloads": [
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml",
        "image": "kaizheh/nginx"
      }
    ],
    "workloads_count": 1
  },
  "removed_run_user_as_root": {
    "status": "Reduced",
    "previous": "root",
    "current": "non-root",
    "workloads": [],
    "workloads_count": 0
  },
  "new_run_group_as_root": {
    "status": "Escalated",
    "previous": "non-root",
    "current": "root",
    "workloads": [
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml",
        "image": "kaizheh/nginx"
      }
    ],
    "workloads_count": 1
  },
  "removed_run_group_as_root": {
    "status": "Reduced",
    "previous": "root",
    "current": "non-root",
    "workloads": [],
    "workloads_count": 0
  },
  "new_read_only_root_fs": {
    "status": "Reduced",
    "previous": "false",
    "current": "true",
    "workloads": [
      {
        "name": "my-busybox",
        "kind": "Pod",
        "namespace": "psp-test",
        "file": "busy-box.yaml",
        "image": "busybox"
      }
    ],
    "workloads_count": 1
  },
  "removed_read_only_root_fs": {
    "status": "Escalated",
    "previous": "true",
    "current": "false",
    "workloads": [
      {
        "name": "nginx",
        "kind": "Pod",
        "namespace": "default",
        "file": "nginx.yaml",
        "image": "kaizheh/nginx"
      }
    ],
    "workloads_count": 1
  }
}

The above escalation report is generated in PR

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].