Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE_REQUEST] Expand run-as-non-root template to verify runAsGroup field is nonzero. #748

Open
ariyonaty opened this issue Mar 17, 2024 · 1 comment · May be fixed by #804
Open

[FEATURE_REQUEST] Expand run-as-non-root template to verify runAsGroup field is nonzero. #748

ariyonaty opened this issue Mar 17, 2024 · 1 comment · May be fixed by #804
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@ariyonaty
Copy link

Description of the problem/feature request
In addition to it being a best security practice for pods to have runAsUser set to a non-zero value, it is also recommended that the GID, determined by either the runtime default security context or the runAsGroup field, is set to a non-zero value.

Would like to propose either creating a new template/check or extend the existing run-as-non-root template to check against the runAsGroup field.

Description of the existing behavior vs. expected behavior
Below is a snippet of behavior when runAsUser set to 0. Expected behavior would be along similar lines.

$ ./kube-linter lint ~/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml
KubeLinter 0.6.8

/home/user/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml: (object: <no namespace>/homebrew-demo /v1, Kind=Pod) container "homebrew-test" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

Error: found 1 lint errors

Additional context
Not particularly familiar with Go, but would be glad to take a crack at this.
Just let me know if there's any particular preference to either extend, or create new template, (or any other helpful suggestions/pointers).

@ariyonaty ariyonaty changed the title [FEATURE_REQUEST] Expand run-as-non-root template to verify runAsGroup field is nonzero. [FEATURE_REQUEST] Expand run-as-non-root template to verify runAsGroup field is nonzero. Mar 17, 2024
@janisz janisz added enhancement New feature or request good first issue Good for newcomers labels Jun 12, 2024
@janisz
Copy link
Collaborator

janisz commented Jun 12, 2024

I think it could be added to https://docs.kubelinter.io/#/generated/checks?id=run-as-non-root

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants