Merge #276 #277

276: Security privileged defaults false r=zegl a=zegl

```
RELNOTE: correctly treat null securityContext.privileged as "false"
```

This fixes #275 

277: ci: remove codecov integration r=zegl a=zegl

<!--
    Optional: Add this change to the release notes by adding a RELNOTE comment
    If this shouldn't appear in the notes, simply remove this.
-->

```
RELNOTE: describe the changes
```


Co-authored-by: Gustav Westling <gustav@westling.dev>

.circleci/config.yml

@@ -12,9 +12,6 @@ jobs:
     - run:
         name: "Enforce Go Formatted Code"
         command: "! go fmt github.com/zegl/kube-score/... 2>&1 | read"
-    - run:
-        name: "Upload test coverage results"
-        command: bash <(curl -s https://codecov.io/bash)
 
 workflows:
   version: 2

score/security/security.go

@@ -50,9 +50,9 @@ func containerSecurityContext(podTemplate corev1.PodTemplateSpec, typeMeta metav
 			}
 		}
 
-		if sec.Privileged == nil || *sec.Privileged {
+		if sec.Privileged != nil && *sec.Privileged {
 			hasPrivileged = true
-			score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false")
+			score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.")
 		}
 
 		if sec.ReadOnlyRootFilesystem == nil || *sec.ReadOnlyRootFilesystem == false {

score/security_test.go

@@ -71,17 +71,7 @@ func TestPodSecurityContext(test *testing.T) {
 			},
 		},
 
-		// Context is non nul, but has all null values
-		{
-			ctx:           &corev1.SecurityContext{},
-			expectedGrade: 1,
-			expectedComment: &scorecard.TestScoreComment{
-				Path:        "foobar",
-				Summary:     "The container is privileged",
-				Description: "Set securityContext.privileged to false",
-			},
-		},
-		// Context is non nul, but has all null values
+		// Context is non-null, but has all null values
 		{
 			ctx:           &corev1.SecurityContext{},
 			expectedGrade: 1,
@@ -145,6 +135,52 @@ func TestPodSecurityContext(test *testing.T) {
 				Description: "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000",
 			},
 		},
+
+		// Privileged defaults to "false"
+		{
+			ctx: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem: b(true),
+				RunAsNonRoot:           b(true),
+			},
+			podCtx: &corev1.PodSecurityContext{
+				RunAsUser:  i(20000),
+				RunAsGroup: i(20000),
+			},
+			expectedGrade: scorecard.GradeAllOK,
+		},
+
+		// Privileged explicitly set to "false"
+		{
+			ctx: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem: b(true),
+				RunAsNonRoot:           b(true),
+				Privileged:             b(false),
+			},
+			podCtx: &corev1.PodSecurityContext{
+				RunAsUser:  i(20000),
+				RunAsGroup: i(20000),
+			},
+			expectedGrade: scorecard.GradeAllOK,
+		},
+
+		// Privileged explicitly set to "true"
+		{
+			ctx: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem: b(true),
+				RunAsNonRoot:           b(true),
+				Privileged:             b(true),
+			},
+			podCtx: &corev1.PodSecurityContext{
+				RunAsUser:  i(20000),
+				RunAsGroup: i(20000),
+			},
+			expectedGrade: scorecard.GradeCritical,
+			expectedComment: &scorecard.TestScoreComment{
+				Path:        "foobar",
+				Summary:     "The container is privileged",
+				Description: "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.",
+			},
+		},
 	}
 
 	for caseID, tc := range tests {