Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluating C-0037 seems to report false positives as well as false negatives #1647

Open
jankoh opened this issue Mar 25, 2024 · 1 comment
Open

Evaluating C-0037 seems to report false positives as well as false negatives #1647

jankoh opened this issue Mar 25, 2024 · 1 comment
Assignees
@matthyx
Labels
bug Something isn't working

Comments

@jankoh
Copy link

jankoh commented Mar 25, 2024

Description

Kubescape's documentation states, that auto-mounting a service account token should be disabled in the service account itself, or the pod-level. It also states, that it is the pod-level that takes precedence. However, it seems Kubescape is only looking at the service account to determine whether or not a service account token is auto-mounted in a pod. This leads to a false positive, when auto-mounting is enabled at service-account-level, but disabled at pod-level. It also leads to a possibly worse false negative when auto-mounting is disabled at service-account-level, but enabled at pod-level.

Environment

OS: Pop!OS 22.04
Version: 3.0.7

Steps To Reproduce

I compiled a minimal chart demonstrating the issue as well as an exception.json to ignore all errors introduced by minimalising the example except C-0037

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-with-mounted-token-1
  namespace: kubescape-test
# This *may* trigger C-0034
automountServiceAccountToken: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-with-unmounted-token-1
  namespace: kubescape-test
# This *may* trigger C-0034
automountServiceAccountToken: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-with-unmounted-token-2
  namespace: kubescape-test
# This *may* trigger C-0034
automountServiceAccountToken: false
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-with-mounted-token-2
  namespace: kubescape-test
# This *may* trigger C-0034
automountServiceAccountToken: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-with-mounted-token-1
  namespace: kubescape-test
spec:
  template:
    metadata:
      name: test-with-mounted-token-1
    spec:
      serviceAccountName: test-with-mounted-token-1
      # This *must* trigger C-0034
      automountServiceAccountToken: true
      containers:
        - name: busybox
          image: busybox:latest
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-with-unmounted-token-1
  namespace: kubescape-test
spec:
  template:
    metadata:
      name: test-with-unmounted-token-1
    spec:
      serviceAccountName: test-with-unmounted-token-1
      # This *should not* trigger C-0034
      automountServiceAccountToken: false
      containers:
        - name: busybox
          image: busybox:latest
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-with-unmounted-token-2
  namespace: kubescape-test
spec:
  template:
    metadata:
      name: test-with-unmounted-token-2
    spec:
      serviceAccountName: test-with-unmounted-token-2
      # This *should not* trigger C-0034
      automountServiceAccountToken: false
      containers:
        - name: busybox
          image: busybox:latest
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-with-mounted-token-2
  namespace: kubescape-test
spec:
  template:
    metadata:
      name: test-with-mounted-token-2
    spec:
      serviceAccountName: test-with-mounted-token-2
      # This *must* trigger C-0034
      automountServiceAccountToken: true
      containers:
        - name: busybox
          image: busybox:latest
[
  {
    "name": "exclude-all-errors-except-c-0034",
    "policyType": "postureExceptionPolicy",
    "actions": ["alertOnly"],
    "resources": [
      {
        "designatorType": "Attributes",
        "attributes": {
          "name": ".*"
        }
      }
    ],
    "posturePolicies": [
      {"controlID": "C-0013"},
      {"controlID": "C-0016"},
      {"controlID": "C-0017"},
      {"controlID": "C-0018"},
      {"controlID": "C-0030"},
      {"controlID": "C-0055"},
      {"controlID": "C-0056"},
      {"controlID": "C-0076"},
      {"controlID": "C-0077"},
      {"controlID": "C-0237"},
      {"controlID": "C-0260"},
      {"controlID": "C-0270"},
      {"controlID": "C-0271"}
    ]
  }
]

Expected behavior

The scan should report pods having enabled auto-mounting the service account token, and not report pods not auto-mounting the service account token

Actual Behavior

The scan should reports auto-mounting the service access token based only on the setting in the service-account itself.
@jankoh jankoh added the bug Something isn't working label Mar 25, 2024
@matthyx
Copy link
Contributor

matthyx commented Mar 26, 2024

thanks @jankoh we'll look at it during the next bug triage
cc @YiscahLevySilas1

@matthyx matthyx self-assigned this Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthyx matthyx

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthyx @jankoh