From 96656f1757e56aa2cb5ac34a49433f481e117eb8 Mon Sep 17 00:00:00 2001 From: Erik Godding Boye Date: Tue, 10 Jan 2023 16:31:46 +0100 Subject: [PATCH] docs: add CIS CRD docs (#25) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Øyvind Sigerstad Co-authored-by: Bendik Paulsrud --- README.md | 26 +- .../stas_v1alpha1_containerimagescan.yaml | 275 +++++++++++++++++- 2 files changed, 293 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 648c12b4..205b61a8 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,28 @@ software. Some key features of this operator are: ### Custom resources -// TODO: Add a summary of key `ContainerImageScan` (CIS) characteristics +The Image Scanner operator currently defines a single user-facing Custom +Resource Definition (CRD), [ContainerImageScan][CIS-CRD] (CIS), that represents the +Kubernetes API for runtime image scanning of workload container images. +See [stas_v1alpha1_containerimagescan.yaml][CIS-example] for a (simplified) +example of a CIS resource. + +The CIS resource `.spec` specifies the container image to scan and some +additional workload metadata, and the image scan result is added/updated +in `.status` by the `ContainerImageScan` controller. + +CIS resources should not be edited by standard users, as the `Workload` +controller will create CIS resources from running pods. And the standard +Kubernetes garbage collector deletes the obsolete CIS resources when the +owning pods are gone. + +A user can influence the image scanning process by adding annotations to pods. +The set of annotations is currently limited, but more might be added in the +future: + +| Pod annotation key | Default value | Description | +|--------------------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------| +| `image-scanner.statnett.no/ignore-unfixed` | `"false"` | If set to `"true"`, the Image Scanner will ignore any detected vulnerability that can't be fix by updating package(s) | ### Supported features @@ -228,3 +249,6 @@ package "Image Scanner Operator" { ## License Licensed under the [MIT License](LICENSE). + +[CIS-CRD]: https://doc.crds.dev/github.com/statnett/image-scanner-operator/stas.statnett.no/ContainerImageScan/v1alpha1 +[CIS-example]: config/samples/stas_v1alpha1_containerimagescan.yaml diff --git a/config/samples/stas_v1alpha1_containerimagescan.yaml b/config/samples/stas_v1alpha1_containerimagescan.yaml index 5ab62d71..99440d01 100644 --- a/config/samples/stas_v1alpha1_containerimagescan.yaml +++ b/config/samples/stas_v1alpha1_containerimagescan.yaml @@ -1,12 +1,273 @@ apiVersion: stas.statnett.no/v1alpha1 kind: ContainerImageScan metadata: + name: pod-nginx-app-afd44 + ownerReferences: + - apiVersion: v1 + kind: Pod + name: nginx + uid: 4b759b6e-cce1-4327-9110-7f81bc1cd37d labels: - app.kubernetes.io/name: containerimagescan - app.kubernetes.io/instance: containerimagescan-sample - app.kubernetes.io/part-of: image-scanner-operator - app.kuberentes.io/managed-by: kustomize - app.kubernetes.io/created-by: image-scanner-operator - name: containerimagescan-sample + app.kubernetes.io/name: nginx spec: -# TODO(user): Add fields here + digest: 'sha256:0fd172200e9ef7d3187cf526b24567027992ffce8a34cc9d5ac0d18deb974d33' + name: docker.io/nginxinc/nginx-unprivileged + workload: + containerName: app + group: '' + kind: Pod + name: nginx +status: + lastScanJobName: pod-nginx-app-afd44hs7rw + lastScanTime: '2023-01-10T10:24:53Z' + lastSuccessfulScanTime: '2023-01-10T10:24:53Z' + observedGeneration: 1 + vulnerabilities: + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32207' + severity: CRITICAL + title: 'curl: Unpreserved file permissions' + vulnerabilityID: CVE-2022-32207 + - fixedVersion: 7.80.0-r4 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32221' + severity: CRITICAL + title: 'curl: POST following PUT confusion' + vulnerabilityID: CVE-2022-32221 + - fixedVersion: 7.80.0-r4 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-42915' + severity: CRITICAL + title: 'curl: HTTP proxy double-free' + vulnerabilityID: CVE-2022-42915 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32207' + severity: CRITICAL + title: 'curl: Unpreserved file permissions' + vulnerabilityID: CVE-2022-32207 + - fixedVersion: 7.80.0-r4 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32221' + severity: CRITICAL + title: 'curl: POST following PUT confusion' + vulnerabilityID: CVE-2022-32221 + - fixedVersion: 7.80.0-r4 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-42915' + severity: CRITICAL + title: 'curl: HTTP proxy double-free' + vulnerabilityID: CVE-2022-42915 + - fixedVersion: 1.2.12-r2 + installedVersion: 1.2.12-r0 + pkgName: zlib + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-37434' + severity: CRITICAL + title: >- + zlib: heap-based buffer over-read and overflow in inflate() in inflate.c + via a large gzip header extra field + vulnerabilityID: CVE-2022-37434 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-27780' + severity: HIGH + title: 'curl: percent-encoded path separator in URL host' + vulnerabilityID: CVE-2022-27780 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-27781' + severity: HIGH + title: 'curl: CERTINFO never-ending busy-loop' + vulnerabilityID: CVE-2022-27781 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-27782' + severity: HIGH + title: 'curl: TLS and SSH connection too eager reuse' + vulnerabilityID: CVE-2022-27782 + - fixedVersion: 7.80.0-r4 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-42916' + severity: HIGH + title: 'curl: HSTS bypass via IDN' + vulnerabilityID: CVE-2022-42916 + - fixedVersion: 7.80.0-r5 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-43551' + severity: HIGH + title: 'curl: HSTS bypass via IDN' + vulnerabilityID: CVE-2022-43551 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-27780' + severity: HIGH + title: 'curl: percent-encoded path separator in URL host' + vulnerabilityID: CVE-2022-27780 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-27781' + severity: HIGH + title: 'curl: CERTINFO never-ending busy-loop' + vulnerabilityID: CVE-2022-27781 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-27782' + severity: HIGH + title: 'curl: TLS and SSH connection too eager reuse' + vulnerabilityID: CVE-2022-27782 + - fixedVersion: 7.80.0-r4 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-42916' + severity: HIGH + title: 'curl: HSTS bypass via IDN' + vulnerabilityID: CVE-2022-42916 + - fixedVersion: 7.80.0-r5 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-43551' + severity: HIGH + title: 'curl: HSTS bypass via IDN' + vulnerabilityID: CVE-2022-43551 + - fixedVersion: 2.9.14-r1 + installedVersion: 2.9.14-r0 + pkgName: libxml2 + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-2309' + severity: HIGH + title: 'lxml: NULL Pointer Dereference in lxml' + vulnerabilityID: CVE-2022-2309 + - fixedVersion: 2.9.14-r2 + installedVersion: 2.9.14-r0 + pkgName: libxml2 + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-40303' + severity: HIGH + title: 'libxml2: integer overflows with XML_PARSE_HUGE' + vulnerabilityID: CVE-2022-40303 + - fixedVersion: 2.9.14-r2 + installedVersion: 2.9.14-r0 + pkgName: libxml2 + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-40304' + severity: HIGH + title: 'libxml2: dict corruption caused by entity reference cycles' + vulnerabilityID: CVE-2022-40304 + - fixedVersion: 6.3_p20211120-r1 + installedVersion: 6.3_p20211120-r0 + pkgName: ncurses-libs + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-29458' + severity: HIGH + title: 'ncurses: segfaulting OOB read' + vulnerabilityID: CVE-2022-29458 + - fixedVersion: 6.3_p20211120-r1 + installedVersion: 6.3_p20211120-r0 + pkgName: ncurses-terminfo-base + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-29458' + severity: HIGH + title: 'ncurses: segfaulting OOB read' + vulnerabilityID: CVE-2022-29458 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32205' + severity: MEDIUM + title: 'curl: Set-Cookie denial of service' + vulnerabilityID: CVE-2022-32205 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32206' + severity: MEDIUM + title: 'curl: HTTP compression denial of service' + vulnerabilityID: CVE-2022-32206 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32208' + severity: MEDIUM + title: 'curl: FTP-KRB bad message verification' + vulnerabilityID: CVE-2022-32208 + - fixedVersion: 7.80.0-r5 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-43552' + severity: MEDIUM + title: 'curl: HTTP Proxy deny use-after-free' + vulnerabilityID: CVE-2022-43552 + - fixedVersion: 1.1.1q-r0 + installedVersion: 1.1.1n-r0 + pkgName: libcrypto1.1 + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-2097' + severity: MEDIUM + title: 'openssl: AES OCB fails to encrypt some bytes' + vulnerabilityID: CVE-2022-2097 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32205' + severity: MEDIUM + title: 'curl: Set-Cookie denial of service' + vulnerabilityID: CVE-2022-32205 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32206' + severity: MEDIUM + title: 'curl: HTTP compression denial of service' + vulnerabilityID: CVE-2022-32206 + - fixedVersion: 7.80.0-r2 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-32208' + severity: MEDIUM + title: 'curl: FTP-KRB bad message verification' + vulnerabilityID: CVE-2022-32208 + - fixedVersion: 7.80.0-r5 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-43552' + severity: MEDIUM + title: 'curl: HTTP Proxy deny use-after-free' + vulnerabilityID: CVE-2022-43552 + - fixedVersion: 1.1.1q-r0 + installedVersion: 1.1.1n-r0 + pkgName: libssl1.1 + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-2097' + severity: MEDIUM + title: 'openssl: AES OCB fails to encrypt some bytes' + vulnerabilityID: CVE-2022-2097 + - fixedVersion: 7.80.0-r3 + installedVersion: 7.80.0-r1 + pkgName: curl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-35252' + severity: LOW + title: 'curl: control code in cookie denial of service' + vulnerabilityID: CVE-2022-35252 + - fixedVersion: 7.80.0-r3 + installedVersion: 7.80.0-r1 + pkgName: libcurl + primaryURL: 'https://avd.aquasec.com/nvd/cve-2022-35252' + severity: LOW + title: 'curl: control code in cookie denial of service' + vulnerabilityID: CVE-2022-35252 + vulnerabilitySummary: + fixedCount: 34 + severityCount: + CRITICAL: 7 + HIGH: 15 + LOW: 2 + MEDIUM: 10 + UNKNOWN: 0