allow_privilege_escalation policy bug

[pfrydids]

Description

I have deployed version 2.26.0 of the ebs-csi-node helm chart.

trivy k8s daemonset/ebs-csi-node -n kube-system --compliance=k8s-nsa --report all | grep allowPrivilegeEscalation

results in

MEDIUM: Container 'ebs-plugin' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'liveness-probe' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'node-driver-registrar' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false

Which I think is due to it not differentiating between containers (only 1 container allows privilege escalation).

The net result is a compliance report which is reporting far to many violations.

I have focused on the allowPrivilegeEscalation but I think it applies to many others.

Desired Behavior

The command to return

MEDIUM: Container 'ebs-plugin' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false

Actual Behavior

MEDIUM: Container 'ebs-plugin' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'liveness-probe' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'node-driver-registrar' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false

Reproduction Steps

1. create an EKS cluster
2. helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
3. helm repo update 
3. helm upgrade --install aws-ebs-csi-driver \
    --namespace kube-system \
    aws-ebs-csi-driver/aws-ebs-csi-driver
4. trivy k8s daemonset/ebs-csi-node -n kube-system --compliance=k8s-nsa --report all | grep allowPrivilegeEscalation
...

Target

Kubernetes

Scanner

None

Output Format

None

Mode

None

Debug Output

N/A

Operating System

Linux

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-16 12:10:36.125232797 +0000 UTC
  NextUpdate: 2024-02-16 18:10:36.125232236 +0000 UTC
  DownloadedAt: 2024-02-16 15:50:02.324521447 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
  NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
  DownloadedAt: 2024-02-12 09:56:34.090366145 +0000 UTC
Policy Bundle:
  Digest: sha256:73a2a1a91c421860d22f08b990a0ca28fee4ca1e1b45e0bdea14357867e31eb6
  DownloadedAt: 2024-02-16 15:50:03.057462809 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[petenorth]

I think there is an issue in the underlying policy.

To illustrate:

test_privileged_is_true_denied {
        r := deny with input as {
                "apiVersion": "v1",
                "kind": "Pod",
                "metadata": {"name": "hello-privileged"},
                "spec": {"containers": [{
                        "command": [
                                "sh",
                                "-c",
                                "echo 'Hello' && sleep 1h",
                        ],
                        "image": "busybox",
                        "name": "hello",
                        "securityContext": {"privileged": true},
                },
{
                        "command": [
                                "sh",
                                "-c",
                                "echo 'Hello' && sleep 1h",
                        ],
                        "image": "busybox",
                        "name": "hello2",
                        "securityContext": {"privileged": false},
                }]},
        }

        count(r) == 1
}

this test succeeds but

test_allow_privilege_escalation_set_to_false_allowed {
        r := deny with input as {
                "apiVersion": "v1",
                "kind": "Pod",
                "metadata": {"name": "hello-privilege-escalation"},
                "spec": {"containers": [{
                        "command": [
                                "sh",
                                "-c",
                                "echo 'Hello' && sleep 1h",
                        ],
                        "image": "busybox",
                        "name": "hello",
                        "securityContext": {"allowPrivilegeEscalation": true},
                },
                {
                       "command": [
                               "sh",
                               "-c",
                               "echo 'Hello' && sleep 1h",
                       ],
                       "image": "busybox",
                       "name": "hello2",
                       "securityContext": {"allowPrivilegeEscalation": false},
                }]},
        }
        count(r) == 1
}

fails (ignore the test name) . It succeeds if the count is condition checks for a value of 2.

I looked into the two policies and they are implemented in a significantly different way. I am a rego newbie so can't really comment on what is wrong in the allowPrivilegeEscalation policy.

[pfrydids]

@nikpivkin @simar7 is this a bug in the policy, does trivy use the policies as defined in the trivy-policies repo?

[simar7]

cc @chen-keinan

[pfrydids]

Can anybody comment on this? I've provided a clear test case.

[nikpivkin]

Hi @pfrydids !

I created issue #6232

/cc @chen-keinan

[pfrydids]

@nikpivkin thanks for the PR. Just wondered what the relationship between this repo and a particular version of the trivy executable is?

If I run trivy version

I get

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-29 12:16:51.180699093 +0000 UTC
  NextUpdate: 2024-02-29 18:16:51.180698723 +0000 UTC
  DownloadedAt: 2024-02-29 14:01:28.428567171 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-21 11:07:56.507504908 +0000 UTC
  NextUpdate: 2024-02-24 11:07:56.507504788 +0000 UTC
  DownloadedAt: 2024-02-21 14:09:47.84341837 +0000 UTC
Policy Bundle:
  Digest: sha256:73a2a1a91c421860d22f08b990a0ca28fee4ca1e1b45e0bdea14357867e31eb6
  DownloadedAt: 2024-02-29 14:01:30.103740857 +0000 UTC

Can I relate any of this information to a commit in this repo?

[simar7]

Trivy downloads a policy bundle that is hosted on the GitHub container registry within the Trivy-polices repo.

[pfrydids]

@simar7 Have tested and can confirm that the updated policy has resolved the issue - many thanks

[simar7]

Awesome, thanks for reporting back to us!