Merge #404 #405

404: score/security: remove Container Security Context r=zegl a=zegl <p>Remove the deprecated “Container Security Context” check. It has been deprecated for three releases, and disabled by default since the last release.</p> --- This PR was created from Gustav Westling's (zegl) [workspace](https://getsturdy.com/kube-score-QEduUvS/ec482ab3-1b84-47fc-8b77-3974d49c7dbb) on [Sturdy](https://getsturdy.com/). Join your team, and code and collaborate on Sturdy, [join now!](https://getsturdy.com/get-started/github) Update this PR by making changes through Sturdy. 405: build(deps): bump k8s.io/api from 0.22.2 to 0.22.3 r=zegl a=dependabot[bot] Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.22.2 to 0.22.3. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kubernetes/api/commit/882d2ec6f15bb12af59722949736d9722a2afe47"><code>882d2ec</code></a> Update dependencies to v0.22.3 tag</li> <li>See full diff in <a href="https://github.com/kubernetes/api/compare/v0.22.2...v0.22.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=k8s.io/api&package-manager=go_modules&previous-version=0.22.2&new-version=0.22.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting ``@dependabot` rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - ``@dependabot` rebase` will rebase this PR - ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it - ``@dependabot` merge` will merge this PR after your CI passes on it - ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it - ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging - ``@dependabot` reopen` will reopen this PR if it is closed - ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Co-authored-by: Gustav Westling <gustav@westling.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
zegl · Oct 28, 2021 · b187a7c · b187a7c
3 parents 61255cf + 85b5174 + 1b5532c
commit b187a7c
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 353 deletions.
diff --git a/go.mod b/go.mod
@@ -7,8 +7,8 @@ require (
 	github.com/stretchr/testify v1.7.0
 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
-	k8s.io/api v0.22.2
-	k8s.io/apimachinery v0.22.2
+	k8s.io/api v0.22.3
+	k8s.io/apimachinery v0.22.3
 	sigs.k8s.io/yaml v1.3.0
 )
 

diff --git a/go.sum b/go.sum
@@ -219,10 +219,10 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
-k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
-k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
-k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/api v0.22.3 h1:wOoES2GoSkUsdped2RB4zYypPqWtvprGoKCENTOOjP4=
+k8s.io/api v0.22.3/go.mod h1:azgiXFiXqiWyLCfI62/eYBOu19rj2LKmIhFPP4+33fs=
+k8s.io/apimachinery v0.22.3 h1:mrvBG5CZnEfwgpVqWcrRKvdsYECTrhAR6cApAgdsflk=
+k8s.io/apimachinery v0.22.3/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=

diff --git a/score/security/security.go b/score/security/security.go
@@ -9,8 +9,6 @@ import (
 )
 
 func Register(allChecks *checks.Checks) {
-	allChecks.RegisterOptionalPodCheck("Container Security Context", `Makes sure that all pods have good securityContexts configured`, containerSecurityContext)
-
 	allChecks.RegisterPodCheck("Container Security Context User Group ID", `Makes sure that all pods have a security context with valid UID and GID set `, containerSecurityContextUserGroupID)
 	allChecks.RegisterPodCheck("Container Security Context Privileged", "Makes sure that all pods have a unprivileged security context set", containerSecurityContextPrivileged)
 	allChecks.RegisterPodCheck("Container Security Context ReadOnlyRootFilesystem", "Makes sure that all pods have a security context with read only filesystem set", containerSecurityContextReadOnlyRootFilesystem)
@@ -112,74 +110,6 @@ func containerSecurityContextUserGroupID(podTemplate corev1.PodTemplateSpec, typ
 	return
 }
 
-// containerSecurityContext checks that the recommended securityPolicy options are set
-// Deprecated: will be replaced with "Container Security Context User Group ID", "Container Security Context Privileged" and "Container Security Context ReadOnlyRootFilesystem" in future versions
-func containerSecurityContext(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
-	allContainers := podTemplate.Spec.InitContainers
-	allContainers = append(allContainers, podTemplate.Spec.Containers...)
-
-	noContextSet := false
-	hasPrivileged := false
-	hasWritableRootFS := false
-	hasLowUserID := false
-	hasLowGroupID := false
-
-	podSecurityContext := podTemplate.Spec.SecurityContext
-
-	for _, container := range allContainers {
-
-		if container.SecurityContext == nil && podSecurityContext == nil {
-			noContextSet = true
-			score.AddComment(container.Name, "Container has no configured security context", "Set securityContext to run the container in a more secure context.")
-			continue
-		}
-
-		sec := container.SecurityContext
-
-		if sec == nil {
-			sec = &corev1.SecurityContext{}
-		}
-
-		// Forward values from PodSecurityContext to the (container level) SecurityContext if not set
-		if podSecurityContext != nil {
-			if sec.RunAsGroup == nil {
-				sec.RunAsGroup = podSecurityContext.RunAsGroup
-			}
-			if sec.RunAsUser == nil {
-				sec.RunAsUser = podSecurityContext.RunAsUser
-			}
-		}
-
-		if sec.Privileged != nil && *sec.Privileged {
-			hasPrivileged = true
-			score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.")
-		}
-
-		if sec.ReadOnlyRootFilesystem == nil || *sec.ReadOnlyRootFilesystem == false {
-			hasWritableRootFS = true
-			score.AddComment(container.Name, "The pod has a container with a writable root filesystem", "Set securityContext.readOnlyRootFilesystem to true")
-		}
-
-		if sec.RunAsUser == nil || *sec.RunAsUser < 10000 {
-			hasLowUserID = true
-			score.AddComment(container.Name, "The container is running with a low user ID", "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000")
-		}
-
-		if sec.RunAsGroup == nil || *sec.RunAsGroup < 10000 {
-			hasLowGroupID = true
-			score.AddComment(container.Name, "The container running with a low group ID", "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000")
-		}
-	}
-
-	if noContextSet || hasPrivileged || hasWritableRootFS || hasLowUserID || hasLowGroupID {
-		score.Grade = scorecard.GradeCritical
-	} else {
-		score.Grade = scorecard.GradeAllOK
-	}
-
-	return
-}
-
 // podSeccompProfile checks if the any Seccommp profile is configured for the pod
 func podSeccompProfile(podTemplate corev1.PodTemplateSpec, typeMeta metav1.TypeMeta) (score scorecard.TestScore) {
 	metadata := podTemplate.ObjectMeta