From 2a4b8b4ff8ce53c4e04b50e111f599fdeedb8254 Mon Sep 17 00:00:00 2001 From: Heiko Kiesel Date: Tue, 22 Aug 2023 15:30:12 +0200 Subject: [PATCH 1/2] Improve kubeaudit example Signed-off-by: Heiko Kiesel --- .../kubeaudit/examples/juice-shop/README.md | 31 +++++++++++ .../examples/juice-shop/findings.json | 51 +++++++++++++++++++ .../kubeaudit/examples/juice-shop/scan.yaml | 2 +- 3 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 scanners/kubeaudit/examples/juice-shop/README.md create mode 100644 scanners/kubeaudit/examples/juice-shop/findings.json diff --git a/scanners/kubeaudit/examples/juice-shop/README.md b/scanners/kubeaudit/examples/juice-shop/README.md new file mode 100644 index 000000000..63e790222 --- /dev/null +++ b/scanners/kubeaudit/examples/juice-shop/README.md @@ -0,0 +1,31 @@ + + +In this example we execute an kubeaudit scan against the intentional vulnerable [juice-shop](https://github.com/juice-shop/juice-shop) + +#### Initialize juice-shop in cluster + +Before executing the scan, make sure to setup juice-shop + +```bash +helm upgrade --install juice-shop secureCodeBox/juice-shop --wait +``` + +After that you can execute the scan in this directory: +```bash +kubectl apply -f scan.yaml +``` + +#### Troubleshooting: + Make sure to install juice-shop in the same namespace as the scanner! +If you juice-shop runs in, e.g., the `kubeaudit-tests` namespace, install the chart and run the scan there too +```bash +# Install HelmChart in kubeaudit-tests namespace +helm upgrade --install kubeaudit secureCodeBox/kubeaudit -n kubeaudit-tests +# Run scan in kubeaudit-tests namespace +kubectl apply -f scan.yaml -n kubeaudit-tests +``` +Also, you must adjust the namespace in the scan.yaml with the `-n` flag. diff --git a/scanners/kubeaudit/examples/juice-shop/findings.json b/scanners/kubeaudit/examples/juice-shop/findings.json new file mode 100644 index 000000000..2fcf6a120 --- /dev/null +++ b/scanners/kubeaudit/examples/juice-shop/findings.json @@ -0,0 +1,51 @@ +[{ + "name": "Namespace \"default\" is missing a Default Deny NetworkPolicy", + "identified_at": "2023-08-22T12:32:05Z", + "description": "Namespace is missing a default deny ingress and egress NetworkPolicy.", + "category": "No Default Deny NetworkPolicy", + "location": "namespace://default", + "osi_layer": "NOT_APPLICABLE", + "severity": "MEDIUM", + "attributes": { + "Namespace": "default" + }, + "id": "8243db55-e6a1-41fd-97a5-3d7b1736886a", + "parsed_at": "2023-08-22T12:32:11.395Z" +}, { + "name": "Default ServiceAccount uses Automounted Service Account Token", + "identified_at": "2023-08-22T12:32:05Z", + "description": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.", + "category": "Automounted ServiceAccount Token", + "location": null, + "osi_layer": "NOT_APPLICABLE", + "severity": "LOW", + "attributes": {}, + "id": "5ed793ce-e8c0-4abb-aaf7-2031356b9996", + "parsed_at": "2023-08-22T12:32:11.395Z" +}, { + "name": "NonRoot User not enforced for Container", + "identified_at": "2023-08-22T12:32:05Z", + "description": "runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.", + "category": "Non Root User Not Enforced", + "location": "container://juice-shop", + "osi_layer": "NOT_APPLICABLE", + "severity": "MEDIUM", + "attributes": { + "container": "juice-shop" + }, + "id": "6162326e-8d0c-463f-9b0c-147cf04a7a1f", + "parsed_at": "2023-08-22T12:32:11.395Z" +}, { + "name": "Container Uses a non ReadOnly Root Filesystem", + "identified_at": "2023-08-22T12:32:05Z", + "description": "readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.", + "category": "Non ReadOnly Root Filesystem", + "location": "container://juice-shop", + "osi_layer": "NOT_APPLICABLE", + "severity": "LOW", + "attributes": { + "container": "juice-shop" + }, + "id": "ea9d6b4a-365b-4fce-99b7-05b0e442db2a", + "parsed_at": "2023-08-22T12:32:11.395Z" +}] diff --git a/scanners/kubeaudit/examples/juice-shop/scan.yaml b/scanners/kubeaudit/examples/juice-shop/scan.yaml index 8336bf1a1..fccc2c789 100644 --- a/scanners/kubeaudit/examples/juice-shop/scan.yaml +++ b/scanners/kubeaudit/examples/juice-shop/scan.yaml @@ -10,4 +10,4 @@ spec: scanType: "kubeaudit" parameters: - "-n" - - "juice-shop" + - "default" From fb0444e5273b409128ecc4e8803d2529a3d4edce Mon Sep 17 00:00:00 2001 From: Heiko Kiesel Date: Fri, 25 Aug 2023 11:16:19 +0200 Subject: [PATCH 2/2] Improve Troubleshooting section in kubeaudit example Signed-off-by: Heiko Kiesel --- scanners/kubeaudit/examples/juice-shop/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scanners/kubeaudit/examples/juice-shop/README.md b/scanners/kubeaudit/examples/juice-shop/README.md index 63e790222..1a710855f 100644 --- a/scanners/kubeaudit/examples/juice-shop/README.md +++ b/scanners/kubeaudit/examples/juice-shop/README.md @@ -29,3 +29,8 @@ helm upgrade --install kubeaudit secureCodeBox/kubeaudit -n kubeaudit-tests kubectl apply -f scan.yaml -n kubeaudit-tests ``` Also, you must adjust the namespace in the scan.yaml with the `-n` flag. + +Alternatively, you can set the scope of kubeaudit to cluster: +```bash +helm upgrade --install kubeaudit secureCodeBox/kubeaudit -n kubeaudit-tests --set="kubeauditScope=cluster" +``` \ No newline at end of file