Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Wildcard for repository names defined in imageRepositoryAllowList in controls-inputs.json #1597

Open
matheensyedaslam opened this issue Feb 1, 2024 · 1 comment
Open

Allow Wildcard for repository names defined in imageRepositoryAllowList in controls-inputs.json #1597

matheensyedaslam opened this issue Feb 1, 2024 · 1 comment
Labels
feature New feature or request

Comments

@matheensyedaslam
Copy link

matheensyedaslam commented Feb 1, 2024
edited

Description

Not able to define registry name as wildcard for imageRepositoryAllowList in controls-inputs.json
In earlier version wildcard entry was allow but in latest version seems like wildcard is not applicable

Environment

OS:
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
Version:
kubescape version
Your current version is: v3.0.3

Steps To Reproduce

1.Download kubescape controls :
kubescape download controls-inputs
2. Update the controls.json file with imageRepositoryAllowList list with domains
[".*jfrog.io","434343.dkr.ecr.*.amazonaws.com"]
3.Now create a test.yaml with registry with different regions as below:

apiVersion: v1
kind: Pod
metadata:
  name: frontend
spec:
  containers:
  - name: app
    image: 434343.dkr.ecr.eu-west-1.amazonaws.com/app:v4
    resources:
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"

4.Now run scan :
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json

cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
Flag --fail-threshold has been deprecated, use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023
 ✅  Initialized scanner
 ✅  Loaded policies
 ✅  Loaded exceptions
 ✅  Loaded account configurations
 ✅  Done accessing local objects
Control: C-0075 100% |██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (3/3, 149 it/s)
 ✅  Done scanning File
 ✅  Done aggregating results


──────────────────────────────────────────────────


################################################################################
Source: tmp-kubescape2243855037.yaml
ApiVersion: v1
Kind: Pod
Name: frontend

Controls: 3 (Failed: 2, action required: 0)

┌──────────┬──────────────────────────────┬────────────────────────────────────┬──────────────────────────┐
│ Severity │ Control name                 │ Docs                               │ Assisted remediation     │
├──────────┼──────────────────────────────┼────────────────────────────────────┼──────────────────────────┤
│ Medium   │ Images from allowed registry │ https://hub.armosec.io/docs/c-0078 │ spec.containers[0].image │
├──────────┼──────────────────────────────┼────────────────────────────────────┼──────────────────────────┤
│ Low      │ Naked pods                   │ https://hub.armosec.io/docs/c-0073 │                          │
└──────────┴──────────────────────────────┴────────────────────────────────────┴──────────────────────────┘


┌─────────────────┬───┐
│        Controls │ 3 │
│          Passed │ 1 │
│          Failed │ 2 │
│ Action Required │ 0 │
└─────────────────┴───┘

Failed resources by severity:

┌──────────┬───┐
│ Critical │ 0 │
│     High │ 0 │
│   Medium │ 1 │
│      Low │ 1 │
└──────────┴───┘

┌──────────┬─────────────────────────────────┬──────────────────┬───────────────┬──────────────────┐
│ Severity │ Control name                    │ Failed resources │ All Resources │ Compliance score │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│  Medium  │ Images from allowed registry    │        1         │       1       │        0%        │
│   Low    │ Naked pods                      │        1         │       1       │        0%        │
│   Low    │ Image pull policy on latest tag │        0         │       1       │       100%       │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│          │        Resource Summary         │        1         │       1       │      33.33%      │
└──────────┴─────────────────────────────────┴──────────────────┴───────────────┴──────────────────┘

5.Update the controls.json file with imageRepositoryAllowList list with domains with exact registry
[".*jfrog.io","434343.dkr.ecr.eu-west-1.amazonaws.com"]
6.Now run scan again:
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json

cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
Flag --fail-threshold has been deprecated, use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023
 ✅  Initialized scanner
 ✅  Loaded policies
 ✅  Loaded exceptions
 ✅  Loaded account configurations
 ✅  Done accessing local objects
Control: C-0075 100% |██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (3/3, 122 it/s)
 ✅  Done scanning File
 ✅  Done aggregating results


──────────────────────────────────────────────────


################################################################################
Source: tmp-kubescape185398782.yaml
ApiVersion: v1
Kind: Pod
Name: frontend

Controls: 3 (Failed: 1, action required: 0)

┌──────────┬──────────────┬────────────────────────────────────┬──────────────────────┐
│ Severity │ Control name │ Docs                               │ Assisted remediation │
├──────────┼──────────────┼────────────────────────────────────┼──────────────────────┤
│ Low      │ Naked pods   │ https://hub.armosec.io/docs/c-0073 │                      │
└──────────┴──────────────┴────────────────────────────────────┴──────────────────────┘


┌─────────────────┬───┐
│        Controls │ 3 │
│          Passed │ 2 │
│          Failed │ 1 │
│ Action Required │ 0 │
└─────────────────┴───┘

Failed resources by severity:

┌──────────┬───┐
│ Critical │ 0 │
│     High │ 0 │
│   Medium │ 0 │
│      Low │ 1 │
└──────────┴───┘

┌──────────┬─────────────────────────────────┬──────────────────┬───────────────┬──────────────────┐
│ Severity │ Control name                    │ Failed resources │ All Resources │ Compliance score │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│  Medium  │ Images from allowed registry    │        0         │       1       │       100%       │
│   Low    │ Naked pods                      │        1         │       1       │        0%        │
│   Low    │ Image pull policy on latest tag │        0         │       1       │       100%       │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│          │        Resource Summary         │        1         │       1       │      66.67%      │
└──────────┴─────────────────────────────────┴──────────────────┴───────────────┴──────────────────┘

Expected behavior

controls.json should accept wildcard entry for registries in imageRepositoryAllowList

Actual Behavior

controls.json does not detect wildcard entry for registries in imageRepositoryAllowList

Additional context
@matheensyedaslam matheensyedaslam added the bug Something isn't working label Feb 1, 2024
@dwertent
Copy link
Contributor

dwertent commented Feb 1, 2024

Thank you for suggestion this.
@yossi77 what do you this about this feature request?

@matthyx matthyx added feature New feature or request and removed bug Something isn't working labels Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matthyx @dwertent @matheensyedaslam