Add OpenShift SecurityContextConstraints object linting (#650)

Co-authored-by: Cereberus <[email protected]>

Author: mancubus77

docs/generated/checks.md

@@ -513,6 +513,21 @@ key: owner
 **Remediation**: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.
 
 **Template**: [run-as-non-root](templates.md#run-as-non-root-user)
+## scc-deny-privileged-container
+
+**Enabled by default**: No
+
+**Description**: Indicates when allowPrivilegedContainer SecurityContextConstraints set to true
+
+**Remediation**: SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead. Refer to https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#scc-settings_configuring-internal-oauth for details.
+
+**Template**: [scc-deny-privileged-container](templates.md#securitycontextconstraints-allowprivilegedcontainer)
+
+**Parameters**:
+
+```yaml
+AllowPrivilegedContainer: true
+```
 ## sensitive-host-mounts
 
 **Enabled by default**: Yes

docs/generated/templates.md

@@ -694,6 +694,24 @@ KubeLinter supports the following templates:
 **Supported Objects**: DeploymentLike
 
 
+## SecurityContextConstraints allowPrivilegedContainer
+
+**Key**: `scc-deny-privileged-container`
+
+**Description**: Flag SCC with allowPrivilegedContainer set to true
+
+**Supported Objects**: SecurityContextConstraints
+
+
+**Parameters**:
+
+```yaml
+- description: allowPrivilegedContainer value
+  name: allowPrivilegedContainer
+  required: false
+  type: boolean
+```
+
 ## Service Account
 
 **Key**: `service-account`

e2etests/bats-tests.sh

@@ -739,6 +739,21 @@ get_value_from() {
   [[ "${count}" == "2" ]]
 }
 
+@test "scc-deny-privileged-container" {
+  tmp="tests/checks/scc-deny-privileged-container.yml"
+  cmd="${KUBE_LINTER_BIN} lint --include scc-deny-privileged-container --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 1 ]
+
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+
+  [[ "${message1}" == "SecurityContextConstraints: SCC has allowPrivilegedContainer set to true" ]]
+  [[ "${count}" == "1" ]]
+}
+
 @test "sensitive-host-mounts" {
   tmp="tests/checks/sensitive-host-mounts.yml"
   cmd="${KUBE_LINTER_BIN} lint --include sensitive-host-mounts --do-not-auto-add-defaults --format json ${tmp}"

pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml

@@ -0,0 +1,10 @@
+name: "scc-deny-privileged-container"
+description: "Indicates when allowPrivilegedContainer SecurityContextConstraints set to true"
+remediation: >-
+  SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead. Refer to https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#scc-settings_configuring-internal-oauth for details.
+scope:
+  objectKinds:
+    - SecurityContextConstraints
+template: "scc-deny-privileged-container"
+params:
+  AllowPrivilegedContainer: true

pkg/extract/scc_spec.go

@@ -0,0 +1,14 @@
+package extract
+
+import (
+	ocpSecV1 "github.com/openshift/api/security/v1"
+	"golang.stackrox.io/kube-linter/pkg/k8sutil"
+)
+
+// SCCallowPrivilegedContainer extracts allowPrivilegedContainer from the given object, if available.
+func SCCallowPrivilegedContainer(obj k8sutil.Object) (bool, bool) {
+	if scc, ok := obj.(*ocpSecV1.SecurityContextConstraints); ok {
+		return scc.AllowPrivilegedContainer, true
+	}
+	return false, false
+}

pkg/lintcontext/mocks/scc.go

@@ -0,0 +1,23 @@
+package mocks
+
+import (
+	"testing"
+
+	ocpSecV1 "github.com/openshift/api/security/v1"
+	"github.com/stretchr/testify/require"
+	"golang.stackrox.io/kube-linter/pkg/objectkinds"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// AddMockSecurityContextConstraints adds a mock SecurityContextConstraints to LintContext
+func (l *MockLintContext) AddMockSecurityContextConstraints(t *testing.T, name string, allowFlag bool) {
+	require.NotEmpty(t, name)
+	l.objects[name] = &ocpSecV1.SecurityContextConstraints{
+		TypeMeta: metaV1.TypeMeta{
+			Kind:       objectkinds.SecurityContextConstraints,
+			APIVersion: objectkinds.GetSCCAPIVersion(),
+		},
+		ObjectMeta:               metaV1.ObjectMeta{Name: name},
+		AllowPrivilegedContainer: allowFlag,
+	}
+}

pkg/lintcontext/parse_yaml.go

@@ -12,6 +12,7 @@ import (
 
 	y "github.com/ghodss/yaml"
 	ocsAppsV1 "github.com/openshift/api/apps/v1"
+	ocpSecV1 "github.com/openshift/api/security/v1"
 	"github.com/pkg/errors"
 	k8sMonitoring "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"golang.stackrox.io/kube-linter/pkg/k8sutil"
@@ -42,7 +43,7 @@ func init() {
 	clientScheme := scheme.Scheme
 
 	// Add OpenShift and Autoscaling schema
-	schemeBuilder := runtime.NewSchemeBuilder(ocsAppsV1.AddToScheme, autoscalingV2Beta1.AddToScheme, k8sMonitoring.AddToScheme)
+	schemeBuilder := runtime.NewSchemeBuilder(ocsAppsV1.AddToScheme, autoscalingV2Beta1.AddToScheme, k8sMonitoring.AddToScheme, ocpSecV1.AddToScheme)
 	if err := schemeBuilder.AddToScheme(clientScheme); err != nil {
 		panic(fmt.Sprintf("Can not add OpenShift schema %v", err))
 	}

pkg/objectkinds/securitycontext.go

@@ -0,0 +1,26 @@
+package objectkinds
+
+import (
+	ocpSecV1 "github.com/openshift/api/security/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	// Service represents Kubernetes Service objects.
+	SecurityContextConstraints = "SecurityContextConstraints"
+)
+
+var (
+	sccGVK = ocpSecV1.SchemeGroupVersion.WithKind("SecurityContextConstraints")
+)
+
+func init() {
+	RegisterObjectKind(SecurityContextConstraints, MatcherFunc(func(gvk schema.GroupVersionKind) bool {
+		return gvk == sccGVK
+	}))
+}
+
+// GetSCCAPIVersion returns SCC's apiversion
+func GetSCCAPIVersion() string {
+	return sccGVK.GroupVersion().String()
+}

pkg/templates/all/all.go

@@ -46,6 +46,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/requiredannotation"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/requiredlabel"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/runasnonroot"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/sccdenypriv"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/serviceaccount"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/servicetype"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/sysctl"