rspec/rules/S6428/kubernetes/rule.adoc

include::../common/summary.adoc[]

Process permissions in privileged containers are essentially the same as root
permissions on the host. If these processes are not protected by robust
security measures, an attacker who compromises a root process on a Pod's host
is likely to gain the ability to pivot within the cluster. +
Depending on how resilient the cluster is, attackers can extend their attack to
the cluster by compromising the nodes from which the cluster launched the
process.

== Ask Yourself Whether

* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster.

There is a risk if you answered yes to this question.

include::../common/secure-coding-practices.adoc[]

== Sensitive Code Example

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        privileged: true # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        privileged: false
----

include::../common/see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../common/message-highlighting.adoc[]

endif::env-github,rspecator-view[]
Modify rule S6428: Add Ansible (APPSEC-2159) (#4357) * Add ansible to rule S6428 * Add Ansible text * Fix typo * Fix typo in Kubernetes too --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-10-07 15:09:51 +02:00			`include::../common/summary.adoc[]`
Create rule S6428: Running a container in privileged mode is security-sensitive (APPSEC-16) 2022-07-12 10:46:23 +02:00
			`Process permissions in privileged containers are essentially the same as root`
			`permissions on the host. If these processes are not protected by robust`
			`security measures, an attacker who compromises a root process on a Pod's host`
			`is likely to gain the ability to pivot within the cluster. +`
			`Depending on how resilient the cluster is, attackers can extend their attack to`
			`the cluster by compromising the nodes from which the cluster launched the`
			`process.`

			`== Ask Yourself Whether`

			`* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster.`

Modify rule S6428: Add Ansible (APPSEC-2159) (#4357) * Add ansible to rule S6428 * Add Ansible text * Fix typo * Fix typo in Kubernetes too --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-10-07 15:09:51 +02:00			`There is a risk if you answered yes to this question.`
Create rule S6428: Running a container in privileged mode is security-sensitive (APPSEC-16) 2022-07-12 10:46:23 +02:00
Modify rule S6428: Add Ansible (APPSEC-2159) (#4357) * Add ansible to rule S6428 * Add Ansible text * Fix typo * Fix typo in Kubernetes too --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-10-07 15:09:51 +02:00			`include::../common/secure-coding-practices.adoc[]`
Create rule S6428: Running a container in privileged mode is security-sensitive (APPSEC-16) 2022-07-12 10:46:23 +02:00
			`== Sensitive Code Example`

			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: example`
			`spec:`
			`containers:`
			`- name: web`
			`image: nginx`
			`ports:`
			`- name: web`
			`containerPort: 80`
			`protocol: TCP`
			`securityContext:`
			`privileged: true # Sensitive`
			`----`

			`== Compliant Solution`

			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: example`
			`spec:`
			`containers:`
			`- name: web`
			`image: nginx`
			`ports:`
			`- name: web`
			`containerPort: 80`
			`protocol: TCP`
			`securityContext:`
			`privileged: false`
			`----`

Modify rule S6428: Add Ansible (APPSEC-2159) (#4357) * Add ansible to rule S6428 * Add Ansible text * Fix typo * Fix typo in Kubernetes too --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-10-07 15:09:51 +02:00			`include::../common/see.adoc[]`
Create rule S6428: Running a container in privileged mode is security-sensitive (APPSEC-16) 2022-07-12 10:46:23 +02:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Modify rule S6428: Add Ansible (APPSEC-2159) (#4357) * Add ansible to rule S6428 * Add Ansible text * Fix typo * Fix typo in Kubernetes too --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-10-07 15:09:51 +02:00			`include::../common/message-highlighting.adoc[]`
Create rule S6428: Running a container in privileged mode is security-sensitive (APPSEC-16) 2022-07-12 10:46:23 +02:00
			`endif::env-github,rspecator-view[]`